php云越权关注

### 简要描述： 版本v3.1 9.23 1.关注，可以让招聘者关注你，或者求职者关注你 2.关注问题。你发表问题可以让大家关注 其中uid是注册的时候自增的值 ### 详细说明： 1.代码位置 upload/model/ajax.class.php function Atn_action() ``` function Atn_action() { $id=(int)$_POST['id']; if((int)$_POST['id']>0){ if($this->uid>0){ if($_POST['id']==$this->uid){ echo 4;die; } $atninfo = $this->obj->DB_select_once("atn","`uid`='".$this->uid."' AND `sc_uid`='".$id."'");//查询是不是关注过了 $user=$this->obj->DB_select_once("member","`uid`='".$id."'","`usertype`");//查询想关注别人的你的信息 if($user['usertype']=="1")//确定求职者身份 { $table="resume"; }elseif($user['usertype']=="2"){//招聘者身份 $table="company"; } $comurl = $this->furl(array("url"=>"c:profile,id:".$id)); $row=$this->obj->DB_select_once("friend_info","`uid`='".$id."'"); $name = $row['nickname']; if(is_array($atninfo)&&!empty($atninfo))//判断关注过就会取消关注 { ：： }else{//否则关注 ：： } }else{ echo "3";die; } ``` 只需id,uid为大于0的值 2.代码位置 upload/ask/model/index.class.php function attention_action() { $this->is_login();//判断登录 $is_set=$this->obj->DB_select_once("attention","`uid`='".$this->uid."' and `type`='".(int)$_POST['type']."'"); if($_POST['type']=='1') { $info=$this->obj->DB_select_once("question","`id`='".(int)$_POST['id']."'","`id`,`title`,`uid`"); $gourl= $this->aurl(array("url"=>"c:content,id:".$info['id'])); $content="关注了<a href=\"".$gourl."\" target=\"_blank\">《".$info['title']."》</a>。";//关注别人 $n_contemt="取消了对<a href=\"".$gourl."\" target=\"_blank\">《".$info['title']."》</a>的关注。";//取消关注别人 }else{ $info=$this->obj->DB_select_once("q_class","`id`='".$_POST['id']."'","`id`,`name`"); $gourl= $this->aurl(array("url"=>"c:getclass,id:".$info['id'])); $content="关注了<a href=\"".$gourl."\" target=\"_blank\">".$info['name']."</a>。";//关注互联网 $n_contemt="取消了<a href=\"".$gourl."\" target=\"_blank\">".$info['name']."</a>的关注。";//取消关注互联网 } 看登录这里 function is_login() { if($this->uid==""||$_COOKIE['username']=='') { echo 'no_login';die; } } 只判断是否为空 只需有type=1或2，id、uid、username有值 ### 漏洞证明： 1.登录查看此时33未关注11 [<img src="https://images.seebug.org/upload/201412/11212619ead4804fd2518d2babbd104a236802a4.jpg" alt="9.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/11212619ead4804fd2518d2babbd104a236802a4.jpg) 构造post包。Replay [<img src="https://images.seebug.org/upload/201412/1121281046397e281138c3150fec9fd6b0819049.jpg" alt="7.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/1121281046397e281138c3150fec9fd6b0819049.jpg) 登录查看33关注了11 [<img src="https://images.seebug.org/upload/201412/1121291190d7c78a87ae251fbf14b1e19dcd05b0.jpg" alt="11.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/1121291190d7c78a87ae251fbf14b1e19dcd05b0.jpg) 再次发包33取消关注11 [<img src="https://images.seebug.org/upload/201412/11213013dda9a11d16be88dfd3a4483a7aada8b2.jpg" alt="13.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/11213013dda9a11d16be88dfd3a4483a7aada8b2.jpg) 2. 1》type=1 登录未关注问题 [<img src="https://images.seebug.org/upload/201412/11213816b47c6fde89fb70f36f844e351bfe904e.jpg" alt="31.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/11213816b47c6fde89fb70f36f844e351bfe904e.jpg) 构造包 发包 [<img src="https://images.seebug.org/upload/201412/11214908639e31e9abb9a38fa527d816d8301588.jpg" alt="37.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/11214908639e31e9abb9a38fa527d816d8301588.jpg) 已关注 [<img src="https://images.seebug.org/upload/201412/112140362dbd53db0dbf5fd37b396c4e679a7ca4.jpg" alt="33.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/112140362dbd53db0dbf5fd37b396c4e679a7ca4.jpg) 2》type=2 [<img src="https://images.seebug.org/upload/201412/11214230b4483847b9bed1d73a70907ea784f5c4.jpg" alt="34.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/11214230b4483847b9bed1d73a70907ea784f5c4.jpg) type=2 不登录发包 [<img src="https://images.seebug.org/upload/201412/112145243ad32b28414aaaf36d43e9ff53ec7941.jpg" alt="36.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/112145243ad32b28414aaaf36d43e9ff53ec7941.jpg) 查看 [<img src="https://images.seebug.org/upload/201412/11214436badd1ac1488c3a754b81f872fdd9a47b.jpg" alt="35.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/11214436badd1ac1488c3a754b81f872fdd9a47b.jpg)