Server guard talent system: 7 unauthorized + 2 SQL
Wap_user.php:
The unauthorized access does not involve uid, causing any changes to any database records.
Article 1:
Elseif ($ act = "resume_work_del") {// unauthorized $ smarty-> cache = false; $ id = intval ($ _ GET ['work _ id']); $ SQL = "delete from ". table ("resume_work "). "where id = $ id"; if ($ db-> query ($ SQL) {exit ("OK"); // WapShowMsg ("work experience deleted successfully ", 1) ;}else {exit ("err"); // WapShowMsg ("failed to delete Work Experience", 0 );}}
Second:
// Delete educational experience
Elseif ($ act = "resume_education_del") {$ smarty-> cache = false; $ id = intval ($ _ GET ['education _ id']); // beyond authorization $ SQL = "delete from ". table ("resume_education "). "where id = $ id"; if ($ db-> query ($ SQL) {exit ("OK"); // WapShowMsg ("educational experience deleted successfully ", 1) ;}else {exit ("err"); // WapShowMsg ("failed to delete educational experience", 0 );}}
Third:
Elseif ($ act = "resume_train_del") {$ smarty-> cache = false; // unauthorized $ id = intval ($ _ GET ['train _ id']); $ SQL = "delete from ". table ("resume_training "). "where id = $ id"; if ($ db-> query ($ SQL) {exit ("OK"); // WapShowMsg ("training deleted successfully ", 1) ;}else {exit ("err"); // WapShowMsg ("failed to delete training experience", 0 );}}
Article 4:
Elseif ($ act = "resume_evaluation_save") {$ _ POST = array_map ("utf8_to_gbk", $ _ POST); $ smarty-> cache = false; $ id = $ _ POST ['pid ']; // beyond authorization $ specialty = $ _ POST ['specialty']? $ _ POST ['specialty ']: exit ("enter self-evaluation"); $ SQL = "update ". table ("resume "). "set specialty = '$ specialty' where id = $ id"; if ($ db-> query ($ SQL) {exit ("OK ");} else {exit ("err ");}}
This generated SQL simple injection $ SQL = "update". table ("resume"). "set specialty = '$ specialty' where id = $ id ";
Article 5:
// Delete the blocked Enterprise
Elseif ($ act = "shield_company_del") {$ smarty-> cache = false; $ id = $ _ GET ["id"]; // beyond authorization $ SQL = "delete from ". table ("personal_shield_company "). "where id = $ id"; $ db-> query ($ SQL )? Exit ("OK"): exit ("err ");}
Section 6:
// Upgrade your resume elseif ($ act = "resume_talent") {$ smarty-> cache = false; $ id = $ _ GET ["pid"]; $ setsqlarr ["talent"] = 3; // unauthorized updatetable (table ("resume"), $ setsqlarr, array ("id" => $ id ))? Exit ("OK"): exit ("err ");}
Article 7:
Elseif ($ act = 'resume _ name_save ')
{$ Smarty-> cache = false; $ _ POST = array_map ("utf8_to_gbk", $ _ POST); $ title = trim ($ _ POST ['title'])? Trim ($ _ POST ['title']): exit ("Enter your resume name"); // beyond authorization + SQL $ SQL = "update ". table ("resume "). "set title = '$ title' where id = $ _ POST [resume_id]"; if ($ db-> query ($ SQL) {exit ("OK ");} else {exit ("err ");}}
Simple SQL injection $ SQL = "update". table ("resume"). "set title = '$ title' where id = $ _ POST [resume_id]";
Solution:
Filter