CVE-2017-9603分析
一、CVE-2017-9603
WordPress Plugin WP Jobs < 1.5 - SQL Injection
二、漏洞分析
问题出现在wp-jobswpjobs_applications,php,第10行到第62行:
<?php
$job_id = $_REQUEST['jobid']; //获取jobid
$jb_args = array(
'posts_per_page' => -1,
'orderby' => 'post_date',
'order' => 'DESC',
'post_type' => 'job',
'post_status' => 'publish',
'suppress_filters' => true);
$jobs = get_posts($jb_args);
?>
<form autocomplete="off" name="form" id="form">
<?php _e('Filter by Job', 'wp-jobs'); ?> <select name="jumpMenu" id="jumpMenu" onchange="MM_jumpMenu('parent', this, 0)">
<option value="edit.php?post_type=job&page=WPJobsJobApps">All Applications</option>
<?php foreach ($jobs as $job_info) : setup_postdata($jobs); ?>
<option <?php
if ($job_info->ID == $job_id) {
echo 'selected="selected"';
}
?> value="edit.php?post_type=job&page=WPJobsJobApps&jobid=<?php echo $job_info->ID; ?>"><?php echo $job_info->post_title; ?></option>
<?php
endforeach;
wp_reset_postdata();
?>
</select>
</form>
<style>
.dctrprt tr th, .dctrprt tr td {
font-family:Arial, Helvetica, sans-serif;
font-size:13px;
}
</style>
<table class="widefat dctrprt">
<tr>
<th><strong><?php _e('S.No', 'wp-jobs'); ?></strong></th>
<th><strong><?php _e('Job Title', 'wp-jobs'); ?></strong></th>
<th><strong><?php _e('Full Name', 'wp-jobs'); ?></strong></th>
<th><strong><?php _e('Email', 'wp-jobs'); ?></strong></th>
<th><strong><?php _e('Phone Number', 'wp-jobs'); ?></strong></th>
<th><strong><?php _e('Download Resume', 'wp-jobs'); ?></strong></th>
</tr>
<?php
$tbl = $wpdb->prefix;
$qry = "Select * from " . $tbl . "app_user_info ";
if ($job_id <> "") {
$qry .= " where app_job_id = " . $job_id; //直接带入SQL语句查询
}
$qry .= " Order by `app_id` Desc ";
$users = $wpdb->get_results($qry);
$i = 1;
foreach ($users as $user) {
?>