### 简要描述: 骑士PHP人才系统:74cms V3.4.20140530 Check Out。 ### 详细说明: 在user/user_apply_jobs.php中 ``` if ($act=="app_save") { $jobsid=isset($_POST['jobsid'])?$_POST['jobsid']:exit("出错了"); $resumeid=isset($_POST['resumeid'])?intval($_POST['resumeid']):exit("出错了"); $notes=isset($_POST['notes'])?trim($_POST['notes']):""; $pms_notice=intval($_POST['pms_notice']); $jobsarr=app_get_jobs($jobsid);//这里出库 if (empty($jobsarr)) { exit("职位丢失"); } $resume_basic=get_resume_basic($_SESSION['uid'],$resumeid); if (empty($resume_basic)) { exit("简历丢失"); } $i=0; foreach($jobsarr as $jobs) { if (check_jobs_apply($jobs['id'],$resumeid,$_SESSION['uid'])) { continue ; } if ($resume_basic['display_name']=="2") { $personal_fullname="N".str_pad($resume_basic['id'],7,"0",STR_PAD_LEFT); } elseif($resume_basic['display_name']=="3") { $personal_fullname=cut_str($resume_basic['fullname'],1,0,"**"); } else { $personal_fullname=$resume_basic['fullname']; } $addarr['resume_id']=$resumeid;...
### 简要描述: 骑士PHP人才系统:74cms V3.4.20140530 Check Out。 ### 详细说明: 在user/user_apply_jobs.php中 ``` if ($act=="app_save") { $jobsid=isset($_POST['jobsid'])?$_POST['jobsid']:exit("出错了"); $resumeid=isset($_POST['resumeid'])?intval($_POST['resumeid']):exit("出错了"); $notes=isset($_POST['notes'])?trim($_POST['notes']):""; $pms_notice=intval($_POST['pms_notice']); $jobsarr=app_get_jobs($jobsid);//这里出库 if (empty($jobsarr)) { exit("职位丢失"); } $resume_basic=get_resume_basic($_SESSION['uid'],$resumeid); if (empty($resume_basic)) { exit("简历丢失"); } $i=0; foreach($jobsarr as $jobs) { if (check_jobs_apply($jobs['id'],$resumeid,$_SESSION['uid'])) { continue ; } if ($resume_basic['display_name']=="2") { $personal_fullname="N".str_pad($resume_basic['id'],7,"0",STR_PAD_LEFT); } elseif($resume_basic['display_name']=="3") { $personal_fullname=cut_str($resume_basic['fullname'],1,0,"**"); } else { $personal_fullname=$resume_basic['fullname']; } $addarr['resume_id']=$resumeid; $addarr['resume_name']=$personal_fullname; $addarr['personal_uid']=intval($_SESSION['uid']); $addarr['jobs_id']=$jobs['id']; $addarr['jobs_name']=$jobs['jobs_name']; $addarr['company_id']=$jobs['company_id']; $addarr['company_name']=$jobs['companyname']; $addarr['company_uid']=$jobs['uid']; $addarr['notes']= $notes; if (strcasecmp(QISHI_DBCHARSET,"utf8")!=0) { $addarr['notes']=iconv("utf-8",QISHI_DBCHARSET,$addarr['notes']); } $addarr['apply_addtime']=time(); $addarr['personal_look']=1; if (inserttable(table('personal_jobs_apply'),$addarr)) ``` ``` $jobsarr=app_get_jobs($jobsid);//这里出库 $addarr['jobs_id']=$jobs['id']; $addarr['jobs_name']=$jobs['jobs_name']; $addarr['company_id']=$jobs['company_id']; $addarr['company_name']=$jobs['companyname']; $addarr['company_uid']=$jobs['uid']; ``` 虽然有全局转义,但是入库后 转义符就没有了。 可以看到这些出库后都没有过滤。 ``` +-------------------+----------------------+------+-----+---------+------------ ---+ | Field | Type | Null | Key | Default | Extra | +-------------------+----------------------+------+-----+---------+------------ ---+ | id | int(10) unsigned | NO | PRI | NULL | auto_increm nt | | subsite_id | tinyint(3) unsigned | NO | | 0 | | | uid | int(10) unsigned | NO | MUL | NULL | | | jobs_name | varchar(30) | NO | | NULL | | | companyname | varchar(50) | NO | | NULL | 可以看到jobs_name 和 companyname 类型都是varchar 但是companyname 字符可以多一些 就用他把。50个字符 足以。 第二处在user/user_invited.php 中 <code> elseif ($act=="invited_save") { $jobs_id=isset($_GET['jobs_id'])?intval($_GET['jobs_id']):exit("err"); $notes=isset($_GET['notes'])?trim($_GET['notes']):""; $pms_notice=intval($_GET['pms_notice']); if (check_interview($id,$jobs_id,$_SESSION['uid'])) { exit("repeat"); } $jobs=get_jobs_one($jobs_id); $addarr['resume_id']=$resume['id']; $addarr['resume_addtime']=$resume['addtime']; if ($resume['display_name']=="2") { $addarr['resume_name']="N".str_pad($resume['id'],7,"0",STR_PAD_LEFT); } elseif ($resume['display_name']=="3") { $addarr['resume_name']=cut_str($resume['fullname'],1,0,"**"); } else { $addarr['resume_name']=$resume['fullname']; } $addarr['resume_uid']=$resume['uid']; $addarr['company_id']=$jobs['company_id']; $addarr['company_addtime']=$jobs['company_addtime']; $addarr['company_name']=$jobs['companyname']; $addarr['company_uid']=$_SESSION['uid']; $addarr['jobs_id']=$jobs['id']; $addarr['jobs_name']=$jobs['jobs_name']; $addarr['jobs_addtime']=$jobs['addtime']; $addarr['notes']= $notes; if (strcasecmp(QISHI_DBCHARSET,"utf8")!=0) { $addarr['notes']=iconv("utf-8",QISHI_DBCHARSET,$addarr['notes']); } $addarr['personal_look']= 1; $addarr['interview_addtime']=time(); $user=get_user_info($resume['uid']); $resume_user=get_user_info($resume['uid']); if ($_CFG['operation_mode']=="2") { inserttable(table('company_interview'),$addarr); ``` 出库后直接带入到了insert中 造成了注入 跟第一处差不多 我就不多说了。 </code> ### 漏洞证明: 首先先注册一个企业会员,创建企业 企业名字为yuaa' 然后 发布招聘。 然后再注册一个个人会员 去投简历 测试 [<img src="https://images.seebug.org/upload/201406/011355252ca02a5eec8d5493a1c01c465a1cd82e.jpg" alt="75.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/011355252ca02a5eec8d5493a1c01c465a1cd82e.jpg) 成功注入 再登录一下企业会员的号 然后修改公司名字为 a',user(),user(),user(),user(),user(),user())# 直接修改的时候虽然名字不能为这么多字符 但是抓包后 可以修改成这样 [<img src="https://images.seebug.org/upload/201406/01140335c0a972ad8d41230612d04bd04ee2d7cd.jpg" alt="76.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/01140335c0a972ad8d41230612d04bd04ee2d7cd.jpg) 登录上会员号 投简历。 [<img src="https://images.seebug.org/upload/201406/01140500985225c53fc9334db8e249c692a10d7f.jpg" alt="77.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/01140500985225c53fc9334db8e249c692a10d7f.jpg)
