Server guard talent system: 7 unauthorized + 2 SQL

Server guard talent system: 7 unauthorized + 2 SQL

Wap_user.php:

The unauthorized access does not involve uid, causing any changes to any database records.



Article 1:

Elseif ($ act = "resume_work_del") {// unauthorized $ smarty-> cache = false; $ id = intval ($ _ GET ['work _ id']); $ SQL = "delete from ". table ("resume_work "). "where id = $ id"; if ($ db-> query ($ SQL) {exit ("OK"); // WapShowMsg ("work experience deleted successfully ", 1) ;}else {exit ("err"); // WapShowMsg ("failed to delete Work Experience", 0 );}}

Second:

// Delete educational experience

Elseif ($ act = "resume_education_del") {$ smarty-> cache = false; $ id = intval ($ _ GET ['education _ id']); // beyond authorization $ SQL = "delete from ". table ("resume_education "). "where id = $ id"; if ($ db-> query ($ SQL) {exit ("OK"); // WapShowMsg ("educational experience deleted successfully ", 1) ;}else {exit ("err"); // WapShowMsg ("failed to delete educational experience", 0 );}}

 

Third:
 

Elseif ($ act = "resume_train_del") {$ smarty-> cache = false; // unauthorized $ id = intval ($ _ GET ['train _ id']); $ SQL = "delete from ". table ("resume_training "). "where id = $ id"; if ($ db-> query ($ SQL) {exit ("OK"); // WapShowMsg ("training deleted successfully ", 1) ;}else {exit ("err"); // WapShowMsg ("failed to delete training experience", 0 );}}

Article 4:

Elseif ($ act = "resume_evaluation_save") {$ _ POST = array_map ("utf8_to_gbk", $ _ POST); $ smarty-> cache = false; $ id = $ _ POST ['pid ']; // beyond authorization $ specialty = $ _ POST ['specialty']? $ _ POST ['specialty ']: exit ("enter self-evaluation"); $ SQL = "update ". table ("resume "). "set specialty = '$ specialty' where id = $ id"; if ($ db-> query ($ SQL) {exit ("OK ");} else {exit ("err ");}}

This generated SQL simple injection $ SQL = "update". table ("resume"). "set specialty = '$ specialty' where id = $ id ";





Article 5:

// Delete the blocked Enterprise

Elseif ($ act = "shield_company_del") {$ smarty-> cache = false; $ id = $ _ GET ["id"]; // beyond authorization $ SQL = "delete from ". table ("personal_shield_company "). "where id = $ id"; $ db-> query ($ SQL )? Exit ("OK"): exit ("err ");}

 

Section 6:

// Upgrade your resume elseif ($ act = "resume_talent") {$ smarty-> cache = false; $ id = $ _ GET ["pid"]; $ setsqlarr ["talent"] = 3; // unauthorized updatetable (table ("resume"), $ setsqlarr, array ("id" => $ id ))? Exit ("OK"): exit ("err ");}

Article 7:

Elseif ($ act = 'resume _ name_save ')

{$ Smarty-> cache = false; $ _ POST = array_map ("utf8_to_gbk", $ _ POST); $ title = trim ($ _ POST ['title'])? Trim ($ _ POST ['title']): exit ("Enter your resume name"); // beyond authorization + SQL $ SQL = "update ". table ("resume "). "set title = '$ title' where id = $ _ POST [resume_id]"; if ($ db-> query ($ SQL) {exit ("OK ");} else {exit ("err ");}}

Simple SQL injection $ SQL = "update". table ("resume"). "set title = '$ title' where id = $ _ POST [resume_id]";

 

Solution:
Filter