php云人才系统越权替换简历

### 简要描述： RT ### 详细说明： 版本：PHPYUN人才招聘系统4.0_beta 说明：简历创建的方式有两种，直接创建跟在线黏贴，问题出在，修改在线黏贴的简历 [<img src="https://images.seebug.org/upload/201507/01221735466d2a899735419bfc4c486b72598f6c.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/01221735466d2a899735419bfc4c486b72598f6c.jpg) 文件位置：\upload\member\user\model\expectq.class.php ``` function save_action(){ if($_POST['submit']){ $eid=(int)$_POST['eid']; $data['doc']=str_replace("&amp;","&",html_entity_decode($_POST['doc'],ENT_QUOTES,"GB2312")); $_POST['lastupdate']=mktime(); $_POST['integrity']=100; unset($_POST['eid']); unset($_POST['submit']); unset($_POST['doc']); if(!$eid){ $num=$this->obj->DB_select_num("resume_expect","`uid`='".$this->uid."'"); if($num>=$this->config['user_number']&&$_GET['e']==''){ $this->ACT_msg("index.php?c=resume","你的简历数已经超过系统设置的简历数了"); } $_POST['doc']='1'; $_POST['uid']=(int)$this->uid; $_POST['defaults']=$num<=0?1:0; $nid=$this->obj->insert_into("resume_expect",$_POST); $resume = $this->obj->DB_select_once("resume","`uid`='".$this->uid."'","`name`,`edu`,`exp`,`sex`,`birthday`,`idcard_status`,`status`,`r_status`"); $this->obj->update_once("resume_expect",array( "edu"=>$resume['edu'], "exp"=>$resume['exp'], "uname"=>$resume['name'], "sex"=>$resume['sex'], "birthday"=>$resume['birthday'], "idcard_status"=>$resume['idcard_status'], "status"=>$resume['status'], "r_status"=>$resume['r_status'], "photo"=>$resume['photo'] ),array('uid'=>$this->uid)); $data['eid']=(int)$nid; $data['uid']=(int)$this->uid; $nid2=$this->obj->insert_into("resume_doc",$data); if($nid2){ if($num==0){ $this->obj->update_once('resume',array('def_job'=>$nid),array('uid'=>$this->uid)); } $nid2=$this->obj->DB_update_all("member_statis","`resume_num`=`resume_num`+1","uid='".$this->uid."'"); } if($nid2) { $this->obj->member_log("添加粘贴简历",2,1); $this->ACT_layer_msg("添加成功！",9,"index.php?c=resume"); }else{ $this->ACT_layer_msg("添加失败！",8,"index.php?c=resume"); } }else{ $_POST['height_status']='0'; $this->obj->update_once("resume_expect",$_POST,array("id"=>$eid));//未对用户权限进行判断 $nid=$this->obj->update_once("resume_doc",$data,array("eid"=>$eid));//未对用户权限进行判断 if($nid) { $this->obj->member_log("更新粘贴简历",2,2); $this->ACT_layer_msg("更新成功！",9,"index.php?c=resume"); }else{ $this->ACT_layer_msg("更新失败！",8,"index.php?c=resume"); } } } } ``` ### 漏洞证明： 账号A在线黏贴简历编号为1 [<img src="https://images.seebug.org/upload/201507/01222452809357cf98bb281d1d37b5f9dd9479e8.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/01222452809357cf98bb281d1d37b5f9dd9479e8.jpg) 账号B在线黏贴简历编号为2 [<img src="https://images.seebug.org/upload/201507/0122252633d3f1dc5856df859f36bfaddef1c932.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/0122252633d3f1dc5856df859f36bfaddef1c932.jpg) 账号B修改2的时候，保存修改时抓包，修改eid=1（即账号A的简历，可遍历，简历id递增） [<img src="https://images.seebug.org/upload/201507/0122284259c053a2a37fb5f5788345857f3d25e6.jpg" alt="4.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/0122284259c053a2a37fb5f5788345857f3d25e6.jpg) 即可成功修改账号A的简历 [<img src="https://images.seebug.org/upload/201507/0122292133cd51c1fc6a4403dbf07a88968f214b.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201507/0122292133cd51c1fc6a4403dbf07a88968f214b.jpg)