乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-10-28: 细节已通知厂商并且等待厂商处理中 2014-11-02: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放 2014-12-27: 细节向核心白帽子及相关领域专家公开 2015-01-06: 细节向普通白帽子公开 2015-01-16: 细节向实习白帽子公开 2014-12-30: 细节向公众公开
B2Bbuilder 网站商城跨站脚本攻击两处一个是指谁打谁另一个是可打大量用户
下载的版本 B2Bbuilder B2B网站管理系统 v7.0 .1最新 正式版第一处admin_message_sed.php //用户发送私信处,用户信息未做过滤
if(isset($_POST['msgsend'])&&$_POST['sendid']!=','){ $msg->friend_msg_batch_send(); //跟踪friend_msg_batch_send函数}//------------------邮件详情if(!empty($_GET['id'])){ $de=$msg ->mail_det($_GET['id']);//跟踪mail_det函数 $tpl->assign("de",$de); $_GET['uid']=$de['fromuserid'];}//--------------------收件人if(!empty($_GET['uid'])){ $sql="select user from ".ALLUSER." where userid='$_GET[uid]'"; $db->query($sql); $tpl->assign("auser",$db->fetchField('user'));}//--------------------批量发邮件$info=$friend->get_batch_friend_info();$tpl->assign("re",$info);//--------------------联系人名单$friendlist=$friend->friends_lists();$tpl->assign("friendlist",$friendlist);//==================================$tpl->assign("config",$config);$tpl->assign("lang",$lang);$output=tplfetch("admin_message_sed.htm");跟踪两个函数plugin_msg_class.php中 function mail_det($id) { global $buid; $sql="select *,NULL as about from ".FEEDBACK." where id='$id'"; $this->db->query($sql); $re=$this->db->fetchRow(); if($re['iflook']<1) { $sql="update ".FEEDBACK." SET iflook=1 WHERE id='$id'"; $this->db->query($sql); } if($re["fromuserid"]&&$re['msgtype']==1) {//收件箱 $sql="select * from ".ALLUSER." where userid='".$re['fromuserid']."'"; $this->db->query($sql); $re["fromInfo"]=$this->db->fetchRow(); } // if($re["touserid"]&&$re['msgtype']==2) {//发件箱 $sql="select * from ".ALLUSER." where userid='".$re['touserid']."'"; $this->db->query($sql); $re["fromInfo"]=$this->db->fetchRow(); } if($re['fromuserid']) { $sql="select id from ".FRIENDS." where fuid=$re[fromuserid]"; $this->db->query($sql); $re["is_myfriend"]=$this->db->fetchField('id'); } $re['edit_con']='<br><br><br><br><br>//======================================================='.$re['con'];//显示$re['con']也未过滤 return $re; } function friend_msg_batch_send() { global $buid,$admin; if(!empty($_POST['senduser'])&&!empty($_POST['msgcon'])) { $date=date("Y-m-d H:i:s"); $sear=explode(';',$_POST['senduser']); if(count($sear)>1) { $sear1=array_unique($sear); $suser="'0'"; foreach($sear1 as $v) { $suser.=",'$v'"; } $sql="select user,email,userid from ".ALLUSER." where user in ($suser)"; } else $sql="select user,email,userid from ".ALLUSER." where user ='$_POST[senduser]'"; $this->db->query($sql); $re=$this->db->getRows(); foreach($re as $v) { $sql="insert into ".FEEDBACK." (touserid,fromuserid,fromInfo,sub,con,date,msgtype) VALUES ('$v[userid]','$buid','Business Friends Message','$_POST[msgtitle]','$_POST[msgcon]','$date','1')"; $this->db->query($sql); $sql="insert into ".FEEDBACK." (touserid,fromuserid,fromInfo,sub,con,date,msgtype) VALUES ('$v[userid]','$buid','Business Friends Message','$_POST[msgtitle]','$_POST[msgcon]','$date','2')";//$_POST[msgcon]没过滤就插入数据库 $this->db->query($sql); //-----------------如果是回复邮件标记为已回复 $this->db->query("UPDATE ".FEEDBACK." set iflook='3' where id='$_GET[id]'"); if(!empty($_POST['semail'])&&$v["email"]) { send_mail($v["email"],$v["name"],$_POST['msgtitle'],$_POST['msgcon']); } } $admin->msg("main.php?m=message&s=admin_message_list_inbox");//发送成功 } else $admin->msg("main.php?m=message&s=admin_message_sed&msgsend=error");
第二处
buy_class.php //进入点和输出点都没有过滤导致xss漏洞这个的影响也较大,只要用户点击求购栏目就会中招buy=new buy();if($_GET['ajax']==1){ $buy->del_pro_buy($_POST['id']); die;}if(!empty($submit)&&empty($_POST['editID'])){ //======================================================== $pactidlist=!empty($_POST['catid'])?$_POST['catid']:NULL; if(!empty($_POST['tcatid'])) $pactidlist.= ",".$_POST['tcatid']; if(!empty($_POST['scatid'])) $pactidlist.=",".$_POST['scatid']; if(!empty($_POST['sscatid'])) $pactidlist.=",".$_POST['sscatid']; $buy->add_user_common_cat($pactidlist);//增加会员常用类别,跟踪一下这个函数 //======================================================= $buy_id = $buy->add_buy(); if($buy_id) $admin->msg("main.php?m=buy&s=admin_buy_list");}$_POST['editID']*=1;if($_POST['editID']){ $re=$buy->edit_buy(); if($re) $admin->msg("main.php?m=buy&s=admin_buy_list");}if(isset($_GET['edit'])){ $de = $buy->buy_detail($_GET['edit']); $pactidlist=$de['catid']; if(!empty($de['tcatid'])) $pactidlist.=",".$de['tcatid']; if(!empty($de['scatid'])) $pactidlist.=",".$de['scatid']; if(!empty($de['sscatid'])) $pactidlist.=",".$de['sscatid']; $tpl->assign("typenames",$buy->getProTypeName($pactidlist)); $buy->add_user_common_cat($pactidlist);//增加会员常用类别 $tpl->assign("de",$de);}buy_class.phpfunction add_user_common_cat($cid) { global $buid; //------------------- $cid=explode(",",$cid); $id=$cid[0]; if(!empty($cid[1])) $id=$cid[1]; if(!empty($cid[2])) $id=$cid[2]; if(!empty($cid[3])) $id=$cid[3]; $sql="select id from ".SHOPSETTING." where company_id='$bcid'"; $this->db->query($sql); $rec=$this->db->fetchRow(); if($rec['id']) $sql="update ".SHOPSETTING." set common_cat=REPLACE(common_cat,',$id',''),common_cat=concat(common_cat,',$id') where userid='$buid'"; else $sql="insert into ".SHOPSETTING." (userid,rec_pro,common_cat) values ('$buid','',',$id')";//更新rec_pro,common_cat时未过滤 $re=$this->db->query($sql); }
漏洞证明: 官网演示用户打开信息时触发
用户单击首页上的求购栏目是即可触发
转义
危害等级:无影响厂商忽略
忽略时间:2014-12-30 14:44
暂无
