乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-10-13: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-01-11: 厂商已经主动忽略漏洞,细节向公众公开
Yuncart#多处存储型xss 皆可打后台cookie 官方demo测试
第一处xss/include/front/member.class.php
public function address() { if(ispostreq()) { $addressid = intval($_POST["addressid"]); //如果是修改,但是没有权限 if($addressid && !DB::getDB()->selectexist("user_address","addressid","addressid='$addressid' AND uid='".$this->uid."'") ) { $this->setHint("user_no_priv","error"); } //参数 $receiver = trim($_POST["receiver"]); $province = trim($_POST["province"]); $city = trim($_POST["city"]); $district = trim($_POST["district"]); $zipcode = trim($_POST["zipcode"]); $link = trim($_POST["link"]); $address = trim($_POST["address"]); $data = array( "receiver" =>$receiver, "province" =>$province, "city" =>$city, "district" =>$district, "zipcode" =>$zipcode, "link" =>$link, "address" =>$address, "uid" =>$this->uid); $text = ''; if($addressid) { //修改地址 $text = 'edit'; DB::getDB()->update("user_address",$data,"addressid='$addressid'"); } else { //增加地址 $text = 'add'; DB::getDB()->insert("user_address",$data); } $this->setHint("address_{$text}_success","success"); } else { $this->getHint(); if(isset($_GET["op"]) && ($_GET['op'] == 'edit') ) { //操作 $addressid = intval($_GET["addressid"]); $this->data["address"] = DB::getDB()->selectrow("user_address","*","addressid='$addressid' AND uid='".$this->uid."'"); if(!$this->data["address"]) { $this->setHint("address_not_exist","error"); } $this->getDistrictopt($this->data["address"]['province'],$this->data["address"]['city'],$this->data["address"]['district']); $this->data['opertype'] = "edit"; } else { $this->data['opertype'] = "add"; } //收货地址列表 $this->data['addresslist'] = DB::getDB()->select("user_address","*","uid='".$this->uid."'"); $this->output("myaddress"); } }
跟踪update
public function update($tableName,$data,$where,$only = false) { $sql = "UPDATE ".$this->getTableName($tableName)." SET "; if(is_array($data)) { foreach($data as $key=>$val) { $sql .= $this->escapekey($key) . "=" . $this->escapeval($val).","; } } else { $sql .= $data; } $sql = rtrim($sql,",")." " . $this->buildWhere($where) . ($only?" LIMIT 1":"") ; $this->query($sql); return $this->errno?false:true;
进query看看
public function query($sql) { $sql = preg_replace("/`(.+?)`/","\"\\1\"",$sql);//执行mysql的`替换成" $this->lastSql = $sql; $this->statement = $this->conn->prepare($sql); if(false === $this->statement) { } $result = $this->statement->execute(); if(false === $result) { $error = $this->statement->errorInfo(); $this->error = $error[2]; $this->errno = $this->statement->errorCode(); if($this->errno) { cerror("sqlsrv error:".$this->errno." ".$this->error); } } $this->querynum++; }
可以看到query只过滤了注入字符未对xss的关键字符进行过滤 因此存在xss首先注册一个帐户 进入用户中心修改收货地址
保存 然后去商场选一件商品 提交订单时选择使用刚才的地址 本地弹
提交订单 我们去后台看看
第二处xss选择一件商品购买 订单备注处插入代码 提交
我们进后台看看 查看订单详情
对xss关键字符进行过滤
未能联系到厂商或者厂商积极拒绝