74cms (20141027) multiple secondary injections

74cms (20141027) multiple secondary injections

 

1.

User/company/company_ajax.phpelseif ($ act = "promotion_add_save ") {*********************** report_deal ($ uid, 2, $ points ); $ user_points = get_user_points ($ uid); write_memberslog ($ uid, 1,9001, $ _ SESSION ['username'], "{$ pro_cat ['cat _ name']}: <strong >{$ jobs ['jobs _ name'] }</strong>, promotion for {$ days} days, (-{$ points}), (remaining: {$ user_points}) ", 1,1018," {$ pro_cat ['cat _ name']} ","-{$ points} "," {$ user_points }");} elseif ($ _ CFG ['Operation _ mo De '] = '2') {$ user_pname = trim ($ _ POST ['Pro _ name']); action_user_setmeal ($ uid, $ user_pname ); // update the number of corresponding promotion methods in the package $ setmeal = get_user_setmeal ($ uid); // obtain the membership package write_memberslog ($ uid, $ _ SESSION ['username'], "{$ pro_cat ['cat _ name'] }:< strong >{$ jobs ['jobs _ name'] }</strong>, promotion for {$ days} days, number of remaining {$ pro_cat ['cat _ name']} items in the package: {$ setmeal [$ user_pname. ", 2,1018," {$ pro_cat ['cat _ name']} ","-{$ days} "," {$ setmeal [$ user_pname]} "); // 9002 is a package operation} write_memberslog ($ uid, $ _ SESSION ['username'], "{$ pro_cat ['cat _ name']}: <strong >{$ jobs ['jobs _ name'] }</strong>, promotion for {$ days} days. ");*******************}

Call the write_memberslog function.

Then focus on the variable $ jobs ['jobs _ name'].

We can learn from the above

$ Jobs = get_jobs_one ($ jobid, $ uid );

Then let's continue reading.

Function get_jobs_one ($ id, $ uid = '') {global $ db, $ timestamp; $ id = intval ($ id); if (! Empty ($ uid) $ wheresql = "AND uid = ". intval ($ uid); $ tb1 = $ db-> getone ("select * from ". table ('jobs '). "where id = '{$ id}' {$ wheresql} LIMIT 1"); $ tb2 = $ db-> getone ("select * from ". table ('jobs _ tmp '). "where id = '{$ id}' {$ wheresql} LIMIT 1"); $ val =! Empty ($ tb1 )? $ Tb1: $ tb2; if (empty ($ val) return false; $ val ['Contact '] = $ db-> getone ("select * from ". table ('jobs _ contact '). "where pid = '{$ val ['id']}' LIMIT 1 "); $ val ['destline_days '] = ($ val ['destadline']-$ timestamp)> 0? "<Strong style = \" color: # FF0000 \ "> ". sub_day ($ val ['demoline'], $ timestamp ). "</strong>": "<span style = \" color: # FF6600 \ "> expired </span>"; return $ val ;}

Directly called, not processed.

So

We can,

Create a new position named

1', '1', '1', user (), '1', '9 ')#

 

Then, you can consume the logs and create records for them. Top, color changing, urgent, recommended.
 

Then we can see in the credit consumption details
 

We can see from the above that the get_jobs_one Function

If no value is returned, it can be processed.

Then you can search for the calling function to see where the function is called and enter the database.
 

2.

Next, I will continue to look at the job title application.
 

This field is not filtered out in three areas: personal resume name, position name, and company name,

Then we can check the source code.

We can find out how the above three pieces of data are obtained, and then try to expand the result.

$ Jobsarr = app_get_jobs ($ jobsid );

Foreach ($ jobsarr as $ jobs ){

$ Addarr ['Company _ name'] = $ jobs ['companyname'];

$ Addarr ['jobs _ name'] = $ jobs ['jobs _ name'];

}

Resume Information here

$ Resume_basic = get_resume_basic ($ _ SESSION ['uid'], $ resumeid );



3.

Where an interview is invited

Secondary Injection is also found.
 

Create one.

Change the company name to this
M', 1, 3, 'zz ', 1, user (), 1, 1 )#

For more information, see
 

4.

After testing, we found that the favorite positions can also be injected twice,
 

M' is the enterprise name.



5.

Find a problematic Function
 

function get_company($uid){global $db;$sql = "select * from ".table('company_profile')." where uid=".intval($uid)." LIMIT 1 ";$result = $db->getone($sql);return $result;}

If the enterprise data is not detected, the system returns the result directly. Then, the function is called and data operations are performed.

function add_down_resume($resume_id,$company_uid,$resume_uid,$resume_name){global $db,$timestamp;$resume_id=intval($resume_id);$company_uid=intval($company_uid);$resume_uid=intval($resume_uid);$resume_name=trim($resume_name);$company=get_company($company_uid);$sql = "INSERT INTO ".table('company_down_resume')." (resume_id,resume_uid,resume_name,company_uid,company_name,down_addtime) VALUES ('{$resume_id}','{$resume_uid}','{$resume_name}','{$company_uid}','{$company['companyname']}','{$timestamp}')";return $db->query($sql);}

And then mine

Download record.
 

 

Solution:

Filter