### 简要描述: ~~ ### 详细说明: 文件:/user/company/company_jobs.php ``` $addrand=intval($_POST['addrand']); if($_SESSION['addrand']==$addrand){ unset($_SESSION['addrand']); $setsqlarr['add_mode']=intval($add_mode); $setsqlarr['uid']=intval($_SESSION['uid']); $setsqlarr['companyname']=$company_profile['companyname']; $setsqlarr['company_id']=$company_profile['id']; $setsqlarr['company_addtime']=$company_profile['addtime']; $setsqlarr['company_audit']=$company_profile['audit']; $setsqlarr['jobs_name']=!empty($_POST['jobs_name'])?trim($_POST['jobs_name']):showmsg('您没有填写职位名称!',1); $setsqlarr['contents']=!empty($_POST['contents'])?trim($_POST['contents']):showmsg('您没有填写职位描述!',1); check_word($_CFG['filter'],$_POST['contents'])?showmsg($_CFG['filter_tips'],0):''; $setsqlarr['nature']=intval($_POST['nature']); $setsqlarr['nature_cn']=trim($_POST['nature_cn']); $setsqlarr['sex']=intval($_POST['sex']); $setsqlarr['sex_cn']=trim($_POST['sex_cn']); $setsqlarr['amount']=intval($_POST['amount']);...
### 简要描述: ~~ ### 详细说明: 文件:/user/company/company_jobs.php ``` $addrand=intval($_POST['addrand']); if($_SESSION['addrand']==$addrand){ unset($_SESSION['addrand']); $setsqlarr['add_mode']=intval($add_mode); $setsqlarr['uid']=intval($_SESSION['uid']); $setsqlarr['companyname']=$company_profile['companyname']; $setsqlarr['company_id']=$company_profile['id']; $setsqlarr['company_addtime']=$company_profile['addtime']; $setsqlarr['company_audit']=$company_profile['audit']; $setsqlarr['jobs_name']=!empty($_POST['jobs_name'])?trim($_POST['jobs_name']):showmsg('您没有填写职位名称!',1); $setsqlarr['contents']=!empty($_POST['contents'])?trim($_POST['contents']):showmsg('您没有填写职位描述!',1); check_word($_CFG['filter'],$_POST['contents'])?showmsg($_CFG['filter_tips'],0):''; $setsqlarr['nature']=intval($_POST['nature']); $setsqlarr['nature_cn']=trim($_POST['nature_cn']); $setsqlarr['sex']=intval($_POST['sex']); $setsqlarr['sex_cn']=trim($_POST['sex_cn']); $setsqlarr['amount']=intval($_POST['amount']); $setsqlarr['category']=!empty($_POST['category'])?intval($_POST['category']):showmsg('请选择职位类别!',1); $setsqlarr['subclass']=intval($_POST['subclass']); $setsqlarr['category_cn']=trim($_POST['category_cn']); $setsqlarr['trade']=$company_profile['trade']; $setsqlarr['trade_cn']=$company_profile['trade_cn']; $setsqlarr['scale']=$company_profile['scale']; $setsqlarr['scale_cn']=$company_profile['scale_cn']; $setsqlarr['district']=!empty($_POST['district'])?intval($_POST['district']):showmsg('请选择工作地区!',1); $setsqlarr['sdistrict']=intval($_POST['sdistrict']); $setsqlarr['district_cn']=trim($_POST['district_cn']); $setsqlarr['tag']=trim($_POST['tag']); $setsqlarr['street']=$company_profile['street']; $setsqlarr['street_cn']=$company_profile['street_cn']; $setsqlarr['officebuilding']=$company_profile['officebuilding']; $setsqlarr['officebuilding_cn']=$company_profile['officebuilding_cn']; $setsqlarr['education']=intval($_POST['education']); $setsqlarr['education_cn']=trim($_POST['education_cn']); $setsqlarr['experience']=intval($_POST['experience']); $setsqlarr['experience_cn']=trim($_POST['experience_cn']); $setsqlarr['wage']=intval($_POST['wage']); $setsqlarr['wage_cn']=trim($_POST['wage_cn']); $setsqlarr['graduate']=intval($_POST['graduate']); $setsqlarr['addtime']=$timestamp; $setsqlarr['deadline']=strtotime("".intval($_POST['days'])." day"); $setsqlarr['refreshtime']=$timestamp; $setsqlarr['key']=$setsqlarr['jobs_name'].$company_profile['companyname'].$setsqlarr['category_cn'].$setsqlarr['district_cn'].$setsqlarr['contents']; require_once(QISHI_ROOT_PATH.'include/splitword.class.php'); $sp = new SPWord(); $setsqlarr['key']="{$setsqlarr['jobs_name']} {$company_profile['companyname']} ".$sp->extracttag($setsqlarr['key']); $setsqlarr['key']=$sp->pad($setsqlarr['key']); $setsqlarr['subsite_id']=intval($_CFG['subsite_id']); $setsqlarr['tpl']=$company_profile['tpl']; $setsqlarr['map_x']=$company_profile['map_x']; $setsqlarr['map_y']=$company_profile['map_y']; if ($company_profile['audit']=="1") { $setsqlarr['audit']=intval($_CFG['audit_verifycom_addjob']); } else { $setsqlarr['audit']=intval($_CFG['audit_unexaminedcom_addjob']); } $setsqlarr_contact['contact']=!empty($_POST['contact'])?trim($_POST['contact']):showmsg('您没有填写联系人!',1); $setsqlarr_contact['qq']=trim($_POST['qq']); $setsqlarr_contact['telephone']=!empty($_POST['telephone'])?trim($_POST['telephone']):showmsg('您没有填写联系电话!',1); check_word($_CFG['filter'],$_POST['telephone'])?showmsg($_CFG['filter_tips'],0):''; $setsqlarr_contact['address']=!empty($_POST['address'])?trim($_POST['address']):showmsg('您没有填写联系地址!',1); $setsqlarr_contact['email']=!empty($_POST['email'])?trim($_POST['email']):showmsg('您没有填写联系邮箱!',1); $setsqlarr_contact['notify']=intval($_POST['notify']); $setsqlarr_contact['contact_show']=intval($_POST['contact_show']); $setsqlarr_contact['email_show']=intval($_POST['email_show']); $setsqlarr_contact['telephone_show']=intval($_POST['telephone_show']); $setsqlarr_contact['address_show']=intval($_POST['address_show']); $setsqlarr_contact['qq_show']=intval($_POST['qq_show']); //添加职位信息 $pid=inserttable(table('jobs'),$setsqlarr,true); empty($pid)?showmsg("添加失败!",0):''; //添加联系方式 $setsqlarr_contact['pid']=$pid; !inserttable(table('jobs_contact'),$setsqlarr_contact)?showmsg("添加失败!",0):''; ``` $setsqlarr['companyname']=$company_profile['companyname']; 这里的companyname是企业用户注册的公司名称 这里直接取出companyname的名称进入SQL语句。 ``` function inserttable($tablename, $insertsqlarr, $returnid=0, $replace = false, $silent=0) { global $db; $insertkeysql = $insertvaluesql = $comma = ''; foreach ($insertsqlarr as $insert_key => $insert_value) { $insertkeysql .= $comma.'`'.$insert_key.'`'; $insertvaluesql .= $comma.'\''.$insert_value.'\''; $comma = ', '; } $method = $replace?'REPLACE':'INSERT'; $state = $db->query($method." INTO $tablename ($insertkeysql) VALUES ($insertvaluesql)", $silent?'SILENT':''); if($returnid && !$replace) { return $db->insert_id(); }else { return $state; } } ``` ### 漏洞证明: 1、先注册一个企业,晚上公司信息,把公司名称改为111111' 2、然后添加职位,在保存时,即可触发错误 [<img src="https://images.seebug.org/upload/201405/19183016618f3c985583b968f2d9938624cd4d02.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/19183016618f3c985583b968f2d9938624cd4d02.png)
