PHPYun /uploads/member/ajax.class.php SQL injection vulnerability

Introduction to PHPYun
PHP cloud talent management system, a professional recruitment website system open source program, an efficient talent and corporate job recruitment system built with PHP and MySQL database, can greatly satisfy the webmaster's website program under the premise of respecting copyright Carry out secondary development.

Vulnerability principle The
parameter is not filtered, and it is directly brought into the SQL statement for query, resulting in injection vulnerability

Vulnerability analysis
View /uploads/member/ajax.class.php file

function getzphcom_action(){
    
    

        if(!$_GET['jobid']){
    
    

            $arr['status']=0;

            $arr['content']=iconv("gbk","utf-8","您还没有职位，<a href='".Url("login",array(),"1")."'>请先登录</a>");

        }else{
    
    

            $row=$this->obj->DB_select_all("company_job","`id` in (".$_GET['jobid'].") and `uid`='".$this->uid."' and `r_status`<>'2' and `status`<>'1'","`name`");

            $space=$this->obj->DB_select_all("zhaopinhui_space");

            $zhaopinhui=$this->obj->DB_select_once("zhaopinhui","`id`='".intval($_GET['zid'])."'","`title`,`address`,`starttime`,`endtime`");

            $com=$this->obj->DB_select_once("zhaopinhui_com","`zid`='".intval($_GET['zid'])."' and `uid`='".$this->uid."'");

            foreach($row as $v){
    
    

                $data[]=$v['name'];

            }

            $spaces=array();

            foreach($space as $val){
    
    

                $spaces[$val['id']]=$val['name'];

            }

            $cname=@implode('、',$data);

            $arr['status']=1;

            $arr['content']=iconv("gbk","utf-8",$cname);

            $arr['title']=iconv("gbk","utf-8",$zhaopinhui['title']);

            $arr['address']=iconv("gbk","utf-8",$zhaopinhui['address']);

            $arr['starttime']=iconv("gbk","utf-8",$zhaopinhui['starttime']);

            $arr['endtime']=iconv("gbk","utf-8",$zhaopinhui['endtime']);

            $arr['sid']=iconv("gbk","utf-8",$spaces[$com['sid']]);

            $arr['bid']=iconv("gbk","utf-8",$spaces[$com['bid']]);

            $arr['cid']=iconv("gbk","utf-8",$spaces[$com['cid']]);

        }

        echo json_encode($arr);

    }

Analyze the above code snippet:

$row=$this->obj->DB_select_all("company_job","`id` in (".$_GET['jobid'].") and `uid`='".$this->uid."' and `r_status`<>'2' and `status`<>'1'","`name`");

You can see that there is no filtering for $_GET['jobid'].
Continue to follow up the DB_select_all() function and check the /uploads/app/public/action.class.php file

function DB_select_all($tablename, $where = 1, $select = "*",$special='') {
    
    

        $cachename=$tablename.$where;

        if(!$row_return=$this->Memcache_set($cachename)){
    
    

            $row_return=array();

            if($this->siteadmindir&&$special==''){
    
    

                $where = $this->site_fetchsql($where,$tablename);

            }

            $SQL = "SELECT $select FROM `" . $this->def . $tablename . "` WHERE ".$where;

            $query=$this->db->query($SQL);

            while($row=$this->db->fetch_array($query)){
    
    $row_return[]=$row;}

            $this->Memcache_set($cachename,$row_return);

        }

        return $row_return;

    }

It can be seen that $_GET['jobid'] is still not filtered,
so the final SQL statement spelled out is

SELECT `name` FROM `phpyun_company_job` WHERE `id` in (可控) and `uid`='1' and `r_status`<>'2' and `status`<>'1'

Because 360waf escapes the received parameters, single quotes, double quotes, English brackets change Chinese brackets, keywords select, update, delete, insert, /**/, these will be intercepted by 360, so you can use Xor bypasses and executes SQL injection vulnerabilities