PHP云人才系统SQL注入

漏洞作者: 龟兔赛跑

http://www.hr135.com/index.php?m=register&usertype=2

公司名称:錦
公司地址:,address=注入的SQL,这里用,address=concat(user(),0x0a,version())#

如下图:

0717111684118f0001a325ba5208e9e74742c6ad

 

点击立即注册,注册成功后进入"企业信息页面",可以看到数据显示在"公司地址"里面, 如下图:

0717163303b83e6838b38271c6a33b54ff12ef4b

 

对应的代码为:

model/register.class.php
    	function regsave_action(){
           $_POST=$this->post_trim($_POST);
           $_POST['username']=iconv("utf-8","gbk",$_POST['username']);    
            $_POST['unit_name']=iconv("utf-8","gbk",$_POST['unit_name']);   // 这里对输入的‘錦’做了转化,引入了'\'
            $_POST['address']=iconv("utf-8","gbk",$_POST['address']);
           if(trim($_POST['password'])&&trim($_POST['password'])!=trim($_POST['passconfirm'])){
                echo "8##�����������벻һ�£�";die;
            }
            if(!$this->CheckRegUser($_POST['username'])){
                echo "8##�û������������ַ���";die;
            }
            if(!$this->CheckRegEmail($_POST['email'])){
                echo "8##Email��ʽ���淶��";die;
            }
            if($_COOKIE['uid']!=""&&$_COOKIE['username']!=""){
                echo "8##���Ѿ���¼�ˣ�";die;
            }
            $usertype=$_POST['usertype'];
            if(strstr($this->config['code_web'],'ע����Ա')){
                if(md5($_POST['authcode'])!=$_SESSION['authcode']){
                    echo "8##��֤��������";die;
                }
            }
            if($_POST['username']!=""){
                $nid = $this->obj->DB_select_once("member","`username`='".$_POST['username']."' or `email`='".$_POST['email']."'");
                if(is_array($nid)){
                    echo "8##�˻����������Ѵ��ڣ�";die;
                }
                if($_POST['usertype']=='2'){
                    if($this->config['com_enforce_mobilecert']!='1'){
                        unset($_POST['moblie']);
                    }

                    $satus = $this->config['com_status'];
                }
                if($this->config['sy_uc_type']=="uc_center"){
                    $this->obj->uc_open();
                   $uid=uc_user_register($_POST['username'],$_POST['password'],$_POST['email']);
                   if($uid<=0){
                       echo "8##�������Ѵ��ڣ�";die;
                   }else{
                       list($uid,$username,$password,$email,$salt)=uc_user_login($_POST['username'],$_POST['password']);
                       $pass = md5(md5($_POST['password']).$salt);
                       $ucsynlogin=uc_user_synlogin($uid);
                   }
               }elseif($this->config['sy_pw_type']=="pw_center"){
                   include(APP_PATH."/api/pw_api/pw_client_class_phpapp.php");
                   $username=$username;
                   $password=$_POST['password'];
                   $email=$_POST['email'];
                   $pw=new PwClientAPI($username,$password,$email);
                   $pwuid=$pw->register();
                   $salt = substr(uniqid(rand()), -6);
                   $pass = md5(md5($password).$salt);
               }else{
                   $salt = substr(uniqid(rand()), -6);
                   $pass = md5(md5($_POST['password']).$salt);
               }
               $ip = $this->obj->fun_ip_get();
               $data['username']=$_POST['username'];
               $data['password']=$pass;
               $data['moblie']=$_POST['moblie'];
               $data['email']=$_POST['email'];
               $data['usertype']=$_POST['usertype'];
               $data['status']=$satus;
               $data['salt']=$salt;
               $data['reg_date']=time();
               $data['reg_ip']=$ip;
               $data['qqid']=$_SESSION['qq']['openid'];
               $data['sinaid']=$_SESSION['sinaid'];
               $userid=$this->obj->insert_into("member",$data);
               if(!$userid){
                   $user_id = $this->obj->DB_select_once("member","`username`='".$_POST['username']."'","`uid`");
                   $userid = $user_id['uid'];
               }
               if($userid){
                   $this->unset_cookie();
                   if($this->config[sy_pw_type]=="pw_center"){
                       $this->obj->DB_update_all("member","`pwuid`='".$pwuid."'","`uid`='".$userid."'");
                   }
                   if($_POST['usertype']=="1"){
                       $table = "member_statis";
                       $table2 = "resume";
                       $value="`uid`='".$userid."'";
                       $value2 = "`uid`='".$userid."',`email`='".$_POST['email']."',`telphone`='".$_POST['moblie']."'";
                   }elseif($_POST['usertype']=="2"){
                       $table = "company_statis";
                       $table2 = "company";
                       $value="`uid`='".$userid."',".$this->rating_info();
                       $value2 = "`uid`='".$userid."',`linkmail`='".$_POST['email']."',`name`='".$_POST['unit_name']."',`linktel`='".$_POST['moblie']."',`address`='".$_POST['address']."'"; // ********这里将转码引入的'\'带入SQL,$_POST['address']即可注入代码。
                   }
                   $this->obj->DB_insert_once($table,$value);
                   $this->obj->DB_insert_once($table2,$value2);
                   $this->obj->DB_insert_once("friend_info","`uid`='".$userid."',`nickname`='".$_POST['username']."',`usertype`='".$_POST['usertype']."'");
                   if($_POST['usertype']=="1"){
                       if($this->config['user_status']=="1"){
                           $randstr=rand(10000000,99999999);
                           $base=base64_encode($userid."|".$randstr."|".$this->config['coding']);
                           $data_cert['type']="cert";
                           $data_cert['email']=$_POST['email'];
                           $data_cert['url']="<a href='".$this->config['sy_weburl']."/index.php?m=qqconnect&c=mcert&id=".$base."'>������֤</a>";
                           $data_cert['date']=date("Y-m-d");
                           $this->send_msg_email($data_cert);
                           $msg = "7##�ʺż����ʼ��ѷ��͵������䣬���ȼ��";
                       }else{
                           $this->add_cookie($userid,$_POST['username'],$salt,$_POST['email'],$pass,$usertype);
                           $this->regemail($_POST);
                           $msg = 1;
                       }
                   }elseif($usertype=="2"){
                       $this->regemail($_POST);
                       if($this->config['com_status']!="1"){
                           $msg = "7##ע���ɹ�,���ȴ�����Ա����";
                       }else{
                           $msg = 1;
                           $this->add_cookie($userid,$_POST['username'],$salt,$_POST['email'],$pass,$usertype);
                       }
                   }
                   echo $msg;die;
               }else{
                   echo "8##ע��ʧ�ܣ�";die;
               }
           }else{
               echo "8##�û�������Ϊ�գ�";die;
           }
       }

这样拼接出的SQL语句为:

07172121d273e49cfa48b6ab9d4c13465ff3a5ff

 

发表评论