Knight talent system 7 ultra vires+2 at sql-vulnerability warning-the black bar safety net

2015-01-20T00:00:00
ID MYHACK58:62201558210
Type myhack58
Reporter 佚名
Modified 2015-01-20T00:00:00

Description

wap_user.php:

About the ultra vires is no uid involved, cause any modifications to the database any records

First place:

code area

elseif($act == "resume_work_del")

{

//Override

$smarty->cache = false;

$id=intval($_GET['work_id']);

$sql="delete from ". table("resume_work")." where id=$id";

if($db->query($sql)){

exit("ok");

// WapShowMsg("delete the work experience of success",1);

}else{

exit("err");

// WapShowMsg("delete the work experience of failure",0);

}

}

Second place:

code area

// Delete the educational experience

elseif($act == "resume_education_del")

{

$smarty->cache = false;

$id=intval($_GET['education_id']);

//Override

$sql="delete from ". table("resume_education")." where id=$id";

if($db->query($sql)){

exit("ok");

// WapShowMsg("delete education success",1);

}else{

exit("err");

// WapShowMsg("delete educational experiences failed",0);

}

}

Third place:

code area

elseif($act == "resume_train_del")

{

$smarty->cache = false;

//Override

$id=intval($_GET['train_id']);

$sql="delete from ". table("resume_training")." where id=$id";

if($db->query($sql)){

exit("ok");

// WapShowMsg("delete training experience successful",1);

}else{

exit("err");

// WapShowMsg("delete training experience failure",0);

}

}

Fourth:

code area

elseif($act == "resume_evaluation_save")

{

$_POST=array_map("utf8_to_gbk",$_POST);

$smarty->cache = false;

$id=$_POST['pid'];

//Override

$specialty=$_POST['specialty']?$ _POST['specialty']:exit("please fill in self-evaluation");

$sql="update ". table("resume")." set specialty='$specialty' where id=$id";

if($db->query($sql)){

exit("ok");

}else{

exit("err");

}

}

This shows the presence of sql a simple injection$sql="update ". table("resume")." set specialty='$specialty' where id=$id";

Fifth place:

code area

// Remove the shield of the enterprise

elseif($act == "shield_company_del")

{

$smarty->cache = false;

$id=$_GET["id"];

//Override

$sql="delete from ". table("personal_shield_company")." where id=$id";

$db->query($sql)? exit("ok"):exit("err");

}

Sixth place:

code area

// Upgrade to premium resume

elseif($act == "resume_talent")

{

$smarty->cache = false;

$id=$_GET["pid"];

$setsqlarr["talent"]=3;

//Override

updatetable(table("resume"),$setsqlarr,array("id"=>$id))? exit("ok"):exit("err");

}

Seventh place:

code area

elseif($act == 'resume_name_save')

{

$smarty->cache = false;

$_POST=array_map("utf8_to_gbk", $_POST);

$title=trim($_POST['title'])? trim($_POST['title']):exit("please enter resume name");

//Override+sql

$sql="update ". table("resume")." set title='$title' where id=$_POST[resume_id]";

if($db->query($sql)){

exit("ok");

}else{

exit("err");

}

}

There is a simplesql injection$sql="update ". table("resume")." set title='$title' where id=$_POST[resume_id]";

Vulnerability to prove:

w

Repair solutions: