74cms (20140709) Secondary Injection

Source: Internet
Author: User

74cms (20140709) Secondary Injection

Instead of modifying the code that causes the vulnerability, you can modify the filter function.
The current filter function, although I cannot bypass it.
However, we can still find several data records.
Not passed before. This time, two packages are made.

P.S .....
You should not only modify the filter function, but also fix the vulnerability code properly.

First. The first one will not analyze the code.




First register an enterprise member and then create an Enterprise
 



Single quotes are escaped and then escaped into the database.

Find the warehouse picking place.



After creating the Enterprise, publish the recruitment as follows.
 




 





Click Publish to view the error message. The enterprise name just now has been released and brought into the query.



Data can still be output under a slightly constructed structure. This is not much to say about the data. The second part is to talk about the data.



_____________________________________________________________________________





Second

Different from the previous one, this is a registered individual member.

Then release your resume.



Look at the code



In user/personal/personal_resume.php


 

Elseif ($ act = 'make4 _ save') {$ resume_education = get_resume_education ($ _ SESSION ['uid'], $ _ REQUEST ['pid ']); if (count ($ resume_education)> = 6) showmsg ('educational experience cannot exceed 6! ', 1, $ link); $ setsqlarr ['uid'] = intval ($ _ SESSION ['uid']); $ setsqlarr ['pid '] = intval ($ _ REQUEST ['pid']); if ($ setsqlarr ['uid'] = 0 | $ setsqlarr ['pid'] = 0) showmsg ('parameter error! ', 1); $ setsqlarr ['start'] = trim ($ _ POST ['start'])? $ _ POST ['start']: showmsg ('Enter the start time! ', 1, $ link); $ setsqlarr ['endtime'] = trim ($ _ POST ['endtime'])? $ _ POST ['endtime']: showmsg ('enter the end time! ', 1, $ link); $ setsqlarr ['school'] = trim ($ _ POST ['school '])? $ _ POST ['school ']: showmsg (' enter the school name! ', 1, $ link); $ setsqlarr ['speciality'] = trim ($ _ POST ['speciality '])? $ _ POST ['speciality ']: showmsg (' enter a professional name! ', 1, $ link); $ setsqlarr ['ucation'] = trim ($ _ POST ['ucation'])? $ _ POST ['education']: showmsg ('select a degree! ', 1, $ link); $ setsqlarr ['education _ cn'] = trim ($ _ POST ['education _ cn'])? $ _ POST ['education _ cn']: showmsg ('select a degree! ', 1, $ link); if (inserttable (table ('resume _ education'), $ setsqlarr) {check_resume ($ _ SESSION ['uid'], intval ($ _ REQUEST ['pid ']);





Inserttable (table ('resume _ education ')

Here, the post data is imported into the insert database.

Here we submit a single quotation mark and insert it, although it is an escape character.

However, the escape characters are eliminated after the data is imported into the database.

Then proceed to the check_resume


 

function check_resume($uid,$pid){global $db,$timestamp,$_CFG;$uid=intval($uid);$pid=intval($pid);$percent=0;$resume_basic=get_resume_basic($uid,$pid);$resume_intention=$resume_basic['intention_jobs'];$resume_specialty=$resume_basic['specialty'];$resume_education=get_resume_education($uid,$pid);if (!empty($resume_basic))$percent=$percent+15;if (!empty($resume_intention))$percent=$percent+15;if (!empty($resume_specialty))$percent=$percent+15;if (!empty($resume_education))$percent=$percent+15;if ($resume_basic['photo_img'] && $resume_basic['photo_audit']=="1"  && $resume_basic['photo_display']=="1"){$setsqlarr['photo']=1;}else{$setsqlarr['photo']=0;}if ($percent<60){$setsqlarr['complete_percent']=$percent;$setsqlarr['complete']=2;}else{$resume_work=get_resume_work($uid,$pid);$resume_training=get_resume_training($uid,$pid);$resume_photo=$resume_basic['photo_img'];if (!empty($resume_work))$percent=$percent+13;if (!empty($resume_training))$percent=$percent+13;if (!empty($resume_photo))$percent=$percent+14;$setsqlarr['complete']=1;$setsqlarr['complete_percent']=$percent;require_once(QISHI_ROOT_PATH.'include/splitword.class.php');$sp = new SPWord();$setsqlarr['key']=$resume_basic['intention_jobs'].$resume_basic['recentjobs'].$resume_basic['specialty'];$setsqlarr['key']="{$resume_basic['fullname']} ".$sp->extracttag($setsqlarr['key']);$setsqlarr['key']=str_replace(","," ",$resume_basic['intention_jobs'])." {$setsqlarr['key']} {$resume_basic['education_cn']}";$setsqlarr['key']=$sp->pad($setsqlarr['key']);if (!empty($resume_education)){foreach($resume_education as $li){$setsqlarr['key']="{$li['school']} {$setsqlarr['key']} {$li['speciality']}";}}$setsqlarr['refreshtime']=$timestamp;}updatetable(table('resume'),$setsqlarr,"uid='{$uid}' AND id='{$pid}'");updatetable(table('resume_tmp'),$setsqlarr,"uid='{$uid}' AND id='{$pid}'");





$ Resume_education = get_resume_education ($ uid, $ pid );



Here, I checked the database in the warehouse just now, so it came out in single quotes. Continue.


 

$setsqlarr['key']=$resume_basic['intention_jobs'].$resume_basic['recentjobs'].$resume_basic['specialty'];$setsqlarr['key']="{$resume_basic['fullname']} ".$sp->extracttag($setsqlarr['key']);$setsqlarr['key']=str_replace(","," ",$resume_basic['intention_jobs'])." {$setsqlarr['key']} {$resume_basic['education_cn']}";$setsqlarr['key']=$sp->pad($setsqlarr['key']);if (!empty($resume_education)){foreach($resume_education as $li){$setsqlarr['key']="{$li['school']} {$setsqlarr['key']} {$li['speciality']}";}}$setsqlarr['refreshtime']=$timestamp;}updatetable(table('resume'),$setsqlarr,"uid='{$uid}' AND id='{$pid}'");updatetable(table('resume_tmp'),$setsqlarr,"uid='{$uid}' AND id='{$pid}'");





Then, the database is delivered to an array and then brought to update.



Cause injection. The update can control the point at the set position.

So we can update what is in this table.


 




 





An error is reported.



Here we convert address updata into the data to be output.


 




 





Data is successfully filtered out for keywords.





The demo is successfully tested.


 





Http://demo.74cms.com/resume/resume-show-6271.htm


 

You should modify the code rather than simply modifying the filter function.



This type of secondary injection only calls stripcslashes once



74cms implements global escape. If it is escaped again, it will contain an escape character even if it is stored in the database. Naturally, the warehouse is also available.



Alternatively, you can perform the addslashes operation once after the database is released.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.