|74cms 最新版注入1-3 - VULHUB开源网络安全威胁库

74cms 最新版注入1-3

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述：骑士PHP人才系统：74cms V3.4.20140530 ### 详细说明：第一处在user/user_apply_jobs.php中 ``` elseif ($act=="app_save") { $jobsid=isset($_POST['jobsid'])?$_POST['jobsid']:exit("出错了"); $resumeid=isset($_POST['resumeid'])?intval($_POST['resumeid']):exit("出错了"); $notes=isset($_POST['notes'])?trim($_POST['notes']):""; $pms_notice=intval($_POST['pms_notice']); ``` ``` $addarr['notes']= $notes; if (strcasecmp(QISHI_DBCHARSET,"utf8")!=0) { $addarr['notes']=iconv("utf-8",QISHI_DBCHARSET,$addarr['notes']); } $addarr['apply_addtime']=time(); $addarr['personal_look']=1; if (inserttable(table('personal_jobs_apply'),$addarr)) ``` 在这里$note未过滤。但是有全局转义但是有一个转编码。 [<img src="https://images.seebug.org/upload/201406/012011185c61293cca1a9e07186e99a8bfe69b70.jpg" alt="71.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/012011185c61293cca1a9e07186e99a8bfe69b70.jpg) 一个錦' 就能报错。说明闭合了前面的一个单引号。錦从utf-8 转换到 gbk为%e5%5c 单引号被转义后成\' \为%5C 两个%5C%5C又再闭合单引号出来所以造成了注入。第二处在user/user_invited.php中 ``` elseif ($act=="invited_save") { $jobs_id=isset($_GET['jobs_id'])?intval($_GET['jobs_id']):exit("err"); $notes=isset($_GET['notes'])?trim($_GET['notes']):""; $pms_notice=intval($_GET['pms_notice']); if (check_interview($id,$jobs_id,$_SESSION['uid'])) { exit("repeat"); } $jobs=get_jobs_one($jobs_id); $addarr['resume_id']=$resume['id']; $addarr['resume_addtime']=$resume['addtime']; if ($resume['display_name']=="2") { $addarr['resume_name']="N".str_pad($resume['id'],7,"0",STR_PAD_LEFT); } elseif ($resume['display_name']=="3") { $addarr['resume_name']=cut_str($resume['fullname'],1,0,"**"); } else { $addarr['resume_name']=$resume['fullname']; } $addarr['resume_uid']=$resume['uid']; $addarr['company_id']=$jobs['company_id']; $addarr['company_addtime']=$jobs['company_addtime']; $addarr['company_name']=$jobs['companyname']; $addarr['company_uid']=$_SESSION['uid']; $addarr['jobs_id']=$jobs['id']; $addarr['jobs_name']=$jobs['jobs_name']; $addarr['jobs_addtime']=$jobs['addtime']; $addarr['notes']= $notes; if (strcasecmp(QISHI_DBCHARSET,"utf8")!=0) { $addarr['notes']=iconv("utf-8",QISHI_DBCHARSET,$addarr['notes']); } $addarr['personal_look']= 1; $addarr['interview_addtime']=time(); $user=get_user_info($resume['uid']); $resume_user=get_user_info($resume['uid']); if ($_CFG['operation_mode']=="2") { inserttable(table('company_interview'),$addarr); ``` 这个跟第一处差不多。第三处在user/user_pms.php中 ``` elseif($act=="add_save") { $setsqlarr['msgtype']=2; $setsqlarr['msgfrom']=trim($_SESSION['username']); $setsqlarr['msgfromuid']=intval($_SESSION['uid']); $toname=trim($_GET['toname']); $setsqlarr['message']=trim($_GET['msg']); if (strcasecmp(QISHI_DBCHARSET,"utf8")!=0) { $toname=iconv("utf-8",QISHI_DBCHARSET,$toname); $setsqlarr['message']=iconv("utf-8",QISHI_DBCHARSET,$setsqlarr['message']); } $msgtouser= $db->getone("select * from ".table('members')." where username = '{$toname}' LIMIT 1"); ``` 錦从utf-8 转换到 gbk为%e5%5c 单引号被转义后成\' \为%5C 两个%5C%5C又再闭合单引号出来所以造成了注入。注册一个企业会员然后就轻松回显或者注册两个个人会员给另外一个发短消息就行了。 ### 漏洞证明： [<img src="https://images.seebug.org/upload/201406/01202133a73d861b06f2de57b3cf36379971f1cf.jpg" alt="72.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/01202133a73d861b06f2de57b3cf36379971f1cf.jpg)

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™