### 简要描述: 74cms_v3.4.20140410逻辑漏洞导致sql注入 ### 详细说明: /include/fun_personal.php(346-373) ``` $resume_work=get_resume_work($uid,$pid); $resume_training=get_resume_training($uid,$pid); $resume_photo=$resume_basic['photo_img']; if (!empty($resume_work))$percent=$percent+13; if (!empty($resume_training))$percent=$percent+13; if (!empty($resume_photo))$percent=$percent+14; $setsqlarr['complete']=1; $setsqlarr['complete_percent']=$percent; require_once(QISHI_ROOT_PATH.'include/splitword.class.php'); $sp = new SPWord(); $setsqlarr['key']=$resume_basic['intention_jobs'].$resume_basic['recentjobs'].$resume_basic['specialty']; echo $setsqlarr['key']." "; $setsqlarr['key']="{$resume_basic['fullname']} ".$sp->extracttag($setsqlarr['key']); $setsqlarr['key']=str_replace(","," ",$resume_basic['intention_jobs'])." {$setsqlarr['key']} {$resume_basic['education_cn']}"; $setsqlarr['key']=$sp->pad($setsqlarr['key']); if (!empty($resume_education)) { foreach($resume_education as $li) {...
### 简要描述: 74cms_v3.4.20140410逻辑漏洞导致sql注入 ### 详细说明: /include/fun_personal.php(346-373) ``` $resume_work=get_resume_work($uid,$pid); $resume_training=get_resume_training($uid,$pid); $resume_photo=$resume_basic['photo_img']; if (!empty($resume_work))$percent=$percent+13; if (!empty($resume_training))$percent=$percent+13; if (!empty($resume_photo))$percent=$percent+14; $setsqlarr['complete']=1; $setsqlarr['complete_percent']=$percent; require_once(QISHI_ROOT_PATH.'include/splitword.class.php'); $sp = new SPWord(); $setsqlarr['key']=$resume_basic['intention_jobs'].$resume_basic['recentjobs'].$resume_basic['specialty']; echo $setsqlarr['key']." "; $setsqlarr['key']="{$resume_basic['fullname']} ".$sp->extracttag($setsqlarr['key']); $setsqlarr['key']=str_replace(","," ",$resume_basic['intention_jobs'])." {$setsqlarr['key']} {$resume_basic['education_cn']}"; $setsqlarr['key']=$sp->pad($setsqlarr['key']); if (!empty($resume_education)) { foreach($resume_education as $li) { $setsqlarr['key']="{$li['school']} {$setsqlarr['key']} {$li['speciality']}"; } } $setsqlarr['refreshtime']=$timestamp; } updatetable(table('resume'),$setsqlarr,"uid='{$uid}' AND id='{$pid}'"); ``` 当执行到$resume_work=get_resume_work($uid,$pid); 然后执行到$setsqlarr['key']=$sp->pad($setsqlarr['key']);对此之前存入数据库的数据原封不动的获取出来,当数据流向updatetable(table('resume'),$setsqlarr,"uid='{$uid}' AND id='{$pid}'");故而触发sql注入漏洞 具体发送请求如图所示: [<img src="https://images.seebug.org/upload/201405/15191746e3c22867d24857689da6a5c58bddaebf.png" alt="6.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/15191746e3c22867d24857689da6a5c58bddaebf.png) 根据此逻辑过程,完全就变成一个最为普通的sql注入了,所以读者可以想干什么,就干什么 ### 漏洞证明:
