### 简要描述: PHPYUN最新版(phpyun_v3.1.0604_gbk)SQL注入(绕过防御) ### 详细说明: PHPYUN最新版:phpyun_v3.1.0604_gbk 文件/member/model/index.class.php ``` function resume_ajax_action() { include(PLUS_PATH."user.cache.php"); $table="resume_".$_POST['type']; $id=(int)$_POST['id']; $info=$this->obj->DB_select_once($table,"`id`='".$id."'"); $info['skillval']=$userclass_name[$info['skill']]; $info['ingval']=$userclass_name[$info['ing']]; $info['sdate']=date("Y-m-d",$info['sdate']); $info['edate']=date("Y-m-d",$info['edate']); if(is_array($info)) { foreach($info as $k=>$v) { $arr[$k]=iconv("gbk","utf-8",$v); } } echo json_encode($arr);die; } ``` 这里的$table="resume_".$_POST['type']; 没有过滤,直接进入数据库:$info=$this->obj->DB_select_once($table,"`id`='".$id."'"); 跟进DB_select_once函数: ``` function DB_select_once($tablename, $where = 1, $select = "*") { $cachename=$tablename.$where; if(!$return=$this->Memcache_set($cachename)){ $SQL = "SELECT $select FROM " . $this->def . $tablename . " WHERE $where limit 1"; $query =...
### 简要描述: PHPYUN最新版(phpyun_v3.1.0604_gbk)SQL注入(绕过防御) ### 详细说明: PHPYUN最新版:phpyun_v3.1.0604_gbk 文件/member/model/index.class.php ``` function resume_ajax_action() { include(PLUS_PATH."user.cache.php"); $table="resume_".$_POST['type']; $id=(int)$_POST['id']; $info=$this->obj->DB_select_once($table,"`id`='".$id."'"); $info['skillval']=$userclass_name[$info['skill']]; $info['ingval']=$userclass_name[$info['ing']]; $info['sdate']=date("Y-m-d",$info['sdate']); $info['edate']=date("Y-m-d",$info['edate']); if(is_array($info)) { foreach($info as $k=>$v) { $arr[$k]=iconv("gbk","utf-8",$v); } } echo json_encode($arr);die; } ``` 这里的$table="resume_".$_POST['type']; 没有过滤,直接进入数据库:$info=$this->obj->DB_select_once($table,"`id`='".$id."'"); 跟进DB_select_once函数: ``` function DB_select_once($tablename, $where = 1, $select = "*") { $cachename=$tablename.$where; if(!$return=$this->Memcache_set($cachename)){ $SQL = "SELECT $select FROM " . $this->def . $tablename . " WHERE $where limit 1"; $query = $this->db->query($SQL); $return=$this->db->fetch_array($query); $this->Memcache_set($cachename,$return); } return $return; } ``` 依然没有处理,所以,这里导致注入。 因为PHPYUN使用了360webscan的规则等一些防御措施 文件/data/db.safety.php: ``` function gpc2sql($str) { if(preg_match("/select|insert|update|delete|union|into|load_file|outfile/is", $str)) { exit(safe_pape()); } $arr=array(" and "=>" an d "," or "=>" ��r ","%20"=>"","select"=>"��elect","update"=>"��pdate","count"=>"��ount","chr"=>"��hr","truncate"=>"��runcate","union"=>"��nion","delete"=>"��elete","insert"=>"��nsert"); foreach($arr as $key=>$v){ $str = preg_replace('/'.$key.'/isU',$v,$str); } return $str; } ``` 像 and 1=1等这些会被过滤 那么使用/**/and 1+1=1和/**/and 1+1=2就能搞定了 而且这里还因为平衡权限造成了信息泄露,我们通过查询不同的表,遍历id得到所有用户的简历信息包括电话,email等信息。 ### 漏洞证明: [<img src="https://images.seebug.org/upload/201406/09222632e72432ecff13e6d630edbf2f836615cd.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/09222632e72432ecff13e6d630edbf2f836615cd.png) 没有信息返回 [<img src="https://images.seebug.org/upload/201406/09222642568c263d6cc78eaf0a7c6fed3fcea431.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/09222642568c263d6cc78eaf0a7c6fed3fcea431.png) 返回id=1的信息 通过遍历得到user()=root
