# Jizhicms 1.7.1 ./user/userinfo.html sql注入漏洞

## 一、漏洞简介

## 二、漏洞影响

Jizhicms 1.7.1

## 三、复现过程

在更改个人资料处

```bash
POST /user/userinfo.html HTTP/1.1
Host: 127.0.0.1:8091
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 138
Origin: http://127.0.0.1:8091
Connection: close
Referer: http://127.0.0.1:8091/user/userinfo.html
Cookie: PHPSESSID=84mcpgsvrgnfag0fnl3ngjm2eo
Upgrade-Insecure-Requests: 1

litpic=&file=&username=test&tel=&email=1%401.com&sex=0&province=&city=&address=&password=&repassword=&signature=&submit=%E6%8F%90%E4%BA%A4

```

在userinfo函数中可以看到只对tel ,pass sex repass等参数进行了过滤，并不涉及province city address等地址，意味着可以随意拼接sql语句触发 sql注入漏洞

![1.png](images/2020_06_13/058dfc68429d40e7a904125cb69eb59e.png)

![2.png](images/2020_06_13/1cdaad1d5b234627ae0f926981a01a0d.png)

通过mysql监控工具可以看到已经带入查询，触发了sql注入漏洞

![3.png](images/2020_06_13/097120815f8d49d595d866170db4920c.png)

通过sqlmap跑一下

![4.png](images/2020_06_13/3dcea8b949a0411b8d036ad0aaa481ae.png)

## 参考链接

> https://xz.aliyun.com/t/7861#toc-2