CVE-2017-9603分析

作者: 浏览次数: 1065 时间: 2017-12-03 评论: 暂无评论

CVE-2017-9603分析

一、CVE-2017-9603

WordPress Plugin WP Jobs < 1.5 - SQL Injection

二、漏洞分析

问题出现在wp-jobswpjobs_applications,php,第10行到第62行:

<?php
$job_id = $_REQUEST['jobid']; //获取jobid
$jb_args = array(
    'posts_per_page' => -1,
    'orderby' => 'post_date',
    'order' => 'DESC',
    'post_type' => 'job',
    'post_status' => 'publish',
    'suppress_filters' => true);

$jobs = get_posts($jb_args);
?>
<form autocomplete="off" name="form" id="form">
    <?php _e('Filter by Job', 'wp-jobs'); ?> <select name="jumpMenu" id="jumpMenu" onchange="MM_jumpMenu('parent', this, 0)">
        <option value="edit.php?post_type=job&page=WPJobsJobApps">All Applications</option>
        <?php foreach ($jobs as $job_info) : setup_postdata($jobs); ?>
            <option <?php
            if ($job_info->ID == $job_id) {
                echo 'selected="selected"';
            }
            ?> value="edit.php?post_type=job&page=WPJobsJobApps&jobid=<?php echo $job_info->ID; ?>"><?php echo $job_info->post_title; ?></option>
         <?php
            endforeach;
            wp_reset_postdata();
            ?>
    </select>
</form>
<style>
    .dctrprt tr th, .dctrprt tr td {
        font-family:Arial, Helvetica, sans-serif;
        font-size:13px;
    }
</style>
<table class="widefat dctrprt">
    <tr>
        <th><strong><?php _e('S.No', 'wp-jobs'); ?></strong></th>
        <th><strong><?php _e('Job Title', 'wp-jobs'); ?></strong></th>
        <th><strong><?php _e('Full Name', 'wp-jobs'); ?></strong></th>
        <th><strong><?php _e('Email', 'wp-jobs'); ?></strong></th>
        <th><strong><?php _e('Phone Number', 'wp-jobs'); ?></strong></th>
        <th><strong><?php _e('Download Resume', 'wp-jobs'); ?></strong></th>
    </tr>
    <?php
    $tbl = $wpdb->prefix;
    $qry = "Select * from " . $tbl . "app_user_info ";
    if ($job_id <> "") {
        $qry .= " where app_job_id = " . $job_id; //直接带入SQL语句查询
    }
    $qry .= " Order by `app_id` Desc ";
    $users = $wpdb->get_results($qry);
    $i = 1;
    foreach ($users as $user) {
?>

阅读全文»