乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-07-27: 细节已通知厂商并且等待厂商处理中 2014-07-30: 厂商已经确认,细节仅向厂商公开 2014-08-02: 细节向第三方安全合作伙伴开放 2014-09-23: 细节向核心白帽子及相关领域专家公开 2014-10-03: 细节向普通白帽子公开 2014-10-13: 细节向实习白帽子公开 2014-10-25: 细节向公众公开
rt
看到注册用户处
if(isset($_POST['register'])){ $is_company = false; $if_need_check = false; $register_type = trim($_POST['register']); $register_typename = trim($_POST['typename']); pb_submit_check('data'); $default_membergroupid_res = $pdb->GetRow("SELECT * FROM {$tb_prefix}membertypes WHERE name='".$register_typename."'"); $default_membergroupid = $default_membergroupid_res['default_membergroup_id']; if(empty($default_membergroupid)) $default_membergroupid = $membergroup->field("id","is_default=1"); if ($default_membergroupid_res['id']>1) { $is_company = true; } $member->setParams(); $memberfield->setParams(); $member->params['data']['member']['membergroup_id'] = $default_membergroupid; $time_limits = $pdb->GetOne("SELECT default_live_time FROM {$tb_prefix}membergroups WHERE id={$default_membergroupid}"); $member->params['data']['member']['service_start_date'] = $time_stamp; $member->params['data']['member']['service_end_date'] = $membergroup->getServiceEndtime($time_limits); $member->params['data']['member']['membertype_id'] = ($is_company)?2:1; if($member_reg_auth=="1" || $member_reg_auth!=0 || !empty($G['setting']['new_userauth'])){ $member->params['data']['member']['status'] = 0; $if_need_check = true; }else{ $member->params['data']['member']['status'] = 1; } $updated = false; $updated = $member->Add();
跟进add
function Add() { global $_PB_CACHE, $memberfield, $phpb2b_auth_key, $if_need_check; $error_msg = array(); if (empty($this->params['data']['member']['username']) or empty($this->params['data']['member']['userpass']) or empty($this->params['data']['member']['email'])) return false; $space_name = $this->params['data']['member']['username']; $userpass = $this->params['data']['member']['userpass']; $this->params['data']['member']['userpass'] = $this->authPasswd($this->params['data']['member']['userpass']); if(empty($this->params['data']['member']['space_name'])) $this->params['data']['member']['space_name'] = PbController::toAlphabets($space_name);//Todo: $uip = pb_ip2long(pb_getenv('REMOTE_ADDR')); if(empty($uip)){ pheader("location:".URL."redirect.php?message=".urlencode(L('sys_error'))); } $this->params['data']['member']['last_login'] = $this->params['data']['member']['created'] = $this->params['data']['member']['modified'] = $this->timestamp; $this->params['data']['member']['last_ip'] = pb_get_client_ip('str'); $email_exists = $this->checkUserExistsByEmail($this->params['data']['member']['email']); if ($email_exists) { flash("email_exists", null, 0); } $if_exists = $this->checkUserExist($this->params['data']['member']['username']); if ($if_exists) { flash('member_has_exists', null, 0); }else{ $this->save($this->params['data']['member']);
save 函数把我们的post数据 做了foreach
function save($obj_name, $obj_id, $data) { if (empty($data)) { return false; } foreach ($data as $key=>$val) { if (in_array($key, array('title', 'keyword', 'description'))) { $this->add($obj_id, $obj_name, $key, $val); }
官网测试下我们注册用户时。抓包,添加参数
data%5Bmember%5D%5Bbalance_amount%5D=9999.99
成功充值。。
你们更加专业
危害等级:高
漏洞Rank:10
确认时间:2014-07-30 19:45
确认
2014-07-30:新版已修正该问题https://github.com/ulinke/phpb2b/archive/master.zip