PHPYun /uploads/member/ajax.class.php SQL injection vulnerability
Introduction to PHPYun
PHP cloud talent management system, a professional recruitment website system open source program, an efficient talent and corporate job recruitment system built with PHP and MySQL database, can greatly satisfy the webmaster's website program under the premise of respecting copyright Carry out secondary development.
Vulnerability principle The
parameter is not filtered, and it is directly brought into the SQL statement for query, resulting in injection vulnerability
Vulnerability analysis
View /uploads/member/ajax.class.php file
function getzphcom_action(){
if(!$_GET['jobid']){
$arr['status']=0;
$arr['content']=iconv("gbk","utf-8","您还没有职位,<a href='".Url("login",array(),"1")."'>请先登录</a>");
}else{
$row=$this->obj->DB_select_all("company_job","`id` in (".$_GET['jobid'].") and `uid`='".$this->uid."' and `r_status`<>'2' and `status`<>'1'","`name`");
$space=$this->obj->DB_select_all("zhaopinhui_space");
$zhaopinhui=$this->obj->DB_select_once("zhaopinhui","`id`='".intval($_GET['zid'])."'","`title`,`address`,`starttime`,`endtime`");
$com=$this->obj->DB_select_once("zhaopinhui_com","`zid`='".intval($_GET['zid'])."' and `uid`='".$this->uid."'");
foreach($row as $v){
$data[]=$v['name'];
}
$spaces=array();
foreach($space as $val){
$spaces[$val['id']]=$val['name'];
}
$cname=@implode('、',$data);
$arr['status']=1;
$arr['content']=iconv("gbk","utf-8",$cname);
$arr['title']=iconv("gbk","utf-8",$zhaopinhui['title']);
$arr['address']=iconv("gbk","utf-8",$zhaopinhui['address']);
$arr['starttime']=iconv("gbk","utf-8",$zhaopinhui['starttime']);
$arr['endtime']=iconv("gbk","utf-8",$zhaopinhui['endtime']);
$arr['sid']=iconv("gbk","utf-8",$spaces[$com['sid']]);
$arr['bid']=iconv("gbk","utf-8",$spaces[$com['bid']]);
$arr['cid']=iconv("gbk","utf-8",$spaces[$com['cid']]);
}
echo json_encode($arr);
}
Analyze the above code snippet:
$row=$this->obj->DB_select_all("company_job","`id` in (".$_GET['jobid'].") and `uid`='".$this->uid."' and `r_status`<>'2' and `status`<>'1'","`name`");
You can see that there is no filtering for $_GET['jobid'].
Continue to follow up the DB_select_all() function and check the /uploads/app/public/action.class.php file
function DB_select_all($tablename, $where = 1, $select = "*",$special='') {
$cachename=$tablename.$where;
if(!$row_return=$this->Memcache_set($cachename)){
$row_return=array();
if($this->siteadmindir&&$special==''){
$where = $this->site_fetchsql($where,$tablename);
}
$SQL = "SELECT $select FROM `" . $this->def . $tablename . "` WHERE ".$where;
$query=$this->db->query($SQL);
while($row=$this->db->fetch_array($query)){
$row_return[]=$row;}
$this->Memcache_set($cachename,$row_return);
}
return $row_return;
}
It can be seen that $_GET['jobid'] is still not filtered,
so the final SQL statement spelled out is
SELECT `name` FROM `phpyun_company_job` WHERE `id` in (可控) and `uid`='1' and `r_status`<>'2' and `status`<>'1'
Because 360waf escapes the received parameters, single quotes, double quotes, English brackets change Chinese brackets, keywords select, update, delete, insert, /**/, these will be intercepted by 360, so you can use Xor bypasses and executes SQL injection vulnerabilities