|74cms (20140709) 二枚二次注入 - VULHUB开源网络安全威胁库

74cms (20140709) 二枚二次注入

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述：不好好的通过修改造成漏洞的代码而是通过修改过滤函数。现在的过滤函数, 虽然我是绕不过去了。但是还是能找到几处能出数据的。之前未通过,这次两个打个包来。 P.S:这很不好意思之前测试demo的时候因为有个是个update的点忘记加where限制条件了导致给某处全部都出数据了。。。。。不只应该修改过滤函数,而且也应该在造成漏洞的代码好好的修复一下。 ### 详细说明：第一枚。第一枚就不分析代码了。首先注册一个企业会员然后创建企业 [<img src="https://images.seebug.org/upload/201407/131345329e0442662017c786922abd33afac98a3.jpg" alt="7 5.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/131345329e0442662017c786922abd33afac98a3.jpg) 单引号会被转义然后转义入库。找找出库的地方。然后创建好企业后发布招聘如下。 [<img src="https://images.seebug.org/upload/201407/1313465950af0b71734cdeb7470b6f39e56a035c.jpg" alt="7 6.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/1313465950af0b71734cdeb7470b6f39e56a035c.jpg) [<img src="https://images.seebug.org/upload/201407/13134754f3156234a03f48ff3a10c79d3dcf4d02.jpg" alt="7 7.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/13134754f3156234a03f48ff3a10c79d3dcf4d02.jpg) 点击发布后可以看到报错了。这里刚才的企业名出库了而且带入到了查询当中。这里稍微构造下还是能出数据。这个咋出数据就不多说了, 第二处再来说说出数据。 _ 第二处与上个不同的是这个是注册一个个人会员然后发布简历。来看代码在user/personal/personal_resume.php中 ``` elseif ($act=='make4_save') { $resume_education=get_resume_education($_SESSION['uid'],$_REQUEST['pid']); if (count($resume_education)>=6) showmsg('教育经历不能超过6条！',1,$link); $setsqlarr['uid']=intval($_SESSION['uid']); $setsqlarr['pid']=intval($_REQUEST['pid']); if ($setsqlarr['uid']==0 || $setsqlarr['pid']==0 ) showmsg('参数错误！',1); $setsqlarr['start']=trim($_POST['start'])?$_POST['start']:showmsg('请填写开始时间！',1,$link); $setsqlarr['endtime']=trim($_POST['endtime'])?$_POST['endtime']:showmsg('请填写结束时间！',1,$link); $setsqlarr['school']=trim($_POST['school'])?$_POST['school']:showmsg('请填写学校名称！',1,$link); $setsqlarr['speciality']=trim($_POST['speciality'])?$_POST['speciality']:showmsg('请填写专业名称！',1,$link); $setsqlarr['education']=trim($_POST['education'])?$_POST['education']:showmsg('请选择获得学历！',1,$link); $setsqlarr['education_cn']=trim($_POST['education_cn'])?$_POST['education_cn']:showmsg('请选择获得学历！',1,$link); if (inserttable(table('resume_education'),$setsqlarr)) { check_resume($_SESSION['uid'],intval($_REQUEST['pid'])); ``` inserttable(table('resume_education') 这里把post来的数据带入到了insert当中入库。这里我们提交一个单引号然后带入insert的时候虽然是转义但是入库后会消除转义符。然后继续看 check_resume ``` function check_resume($uid,$pid) { global $db,$timestamp,$_CFG; $uid=intval($uid); $pid=intval($pid); $percent=0; $resume_basic=get_resume_basic($uid,$pid); $resume_intention=$resume_basic['intention_jobs']; $resume_specialty=$resume_basic['specialty']; $resume_education=get_resume_education($uid,$pid); if (!empty($resume_basic))$percent=$percent+15; if (!empty($resume_intention))$percent=$percent+15; if (!empty($resume_specialty))$percent=$percent+15; if (!empty($resume_education))$percent=$percent+15; if ($resume_basic['photo_img'] && $resume_basic['photo_audit']=="1" && $resume_basic['photo_display']=="1") { $setsqlarr['photo']=1; } else { $setsqlarr['photo']=0; } if ($percent<60) { $setsqlarr['complete_percent']=$percent; $setsqlarr['complete']=2; } else { $resume_work=get_resume_work($uid,$pid); $resume_training=get_resume_training($uid,$pid); $resume_photo=$resume_basic['photo_img']; if (!empty($resume_work))$percent=$percent+13; if (!empty($resume_training))$percent=$percent+13; if (!empty($resume_photo))$percent=$percent+14; $setsqlarr['complete']=1; $setsqlarr['complete_percent']=$percent; require_once(QISHI_ROOT_PATH.'include/splitword.class.php'); $sp = new SPWord(); $setsqlarr['key']=$resume_basic['intention_jobs'].$resume_basic['recentjobs'].$resume_basic['specialty']; $setsqlarr['key']="{$resume_basic['fullname']} ".$sp->extracttag($setsqlarr['key']); $setsqlarr['key']=str_replace(","," ",$resume_basic['intention_jobs'])." {$setsqlarr['key']} {$resume_basic['education_cn']}"; $setsqlarr['key']=$sp->pad($setsqlarr['key']); if (!empty($resume_education)) { foreach($resume_education as $li) { $setsqlarr['key']="{$li['school']} {$setsqlarr['key']} {$li['speciality']}"; } } $setsqlarr['refreshtime']=$timestamp; } updatetable(table('resume'),$setsqlarr,"uid='{$uid}' AND id='{$pid}'"); updatetable(table('resume_tmp'),$setsqlarr,"uid='{$uid}' AND id='{$pid}'"); ``` $resume_education=get_resume_education($uid,$pid); 这里把刚才入库的查询了出来所以单引号就出来了。继续看。 ``` $setsqlarr['key']=$resume_basic['intention_jobs'].$resume_basic['recentjobs'].$resume_basic['specialty']; $setsqlarr['key']="{$resume_basic['fullname']} ".$sp->extracttag($setsqlarr['key']); $setsqlarr['key']=str_replace(","," ",$resume_basic['intention_jobs'])." {$setsqlarr['key']} {$resume_basic['education_cn']}"; $setsqlarr['key']=$sp->pad($setsqlarr['key']); if (!empty($resume_education)) { foreach($resume_education as $li) { $setsqlarr['key']="{$li['school']} {$setsqlarr['key']} {$li['speciality']}"; } } $setsqlarr['refreshtime']=$timestamp; } updatetable(table('resume'),$setsqlarr,"uid='{$uid}' AND id='{$pid}'"); updatetable(table('resume_tmp'),$setsqlarr,"uid='{$uid}' AND id='{$pid}'"); ``` 然后把出库来的给一数组然后带入到了update中。造成了注入。而且这个update 可以控制的点是在set位置的所以可以是我们想update这table里面的什么就update什么。 [<img src="https://images.seebug.org/upload/201407/13135831a87e1ba9cd61cb6a9dafa52dc114c5cb.jpg" alt="77.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/13135831a87e1ba9cd61cb6a9dafa52dc114c5cb.jpg) [<img src="https://images.seebug.org/upload/201407/1313584745e1575095a9d9c20f926a5b5c4a880e.jpg" alt="78.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/1313584745e1575095a9d9c20f926a5b5c4a880e.jpg) 报错了稍微构造一下。这里我们把address updata成要出的数据 [<img src="https://images.seebug.org/upload/201407/131400342bf3b718c13332cff582d4232fa7a1a2.jpg" alt="7 8.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/131400342bf3b718c13332cff582d4232fa7a1a2.jpg) [<img src="https://images.seebug.org/upload/201407/131401013eaecb0272d75ada52ec8c269c7c9025.jpg" alt="79.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/131401013eaecb0272d75ada52ec8c269c7c9025.jpg) 成功了对关键字的过滤出数据。测试了一下demo 也成功 [<img src="https://images.seebug.org/upload/201407/131401517e84622d24b791d21d7e6b631aecd56e.jpg" alt="80.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/131401517e84622d24b791d21d7e6b631aecd56e.jpg) http://demo.74cms.com/resume/resume-show-6271.htm ### 漏洞证明：见上面。

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™