乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-10-29: 细节已通知厂商并且等待厂商处理中 2014-11-03: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放 2014-12-28: 细节向核心白帽子及相关领域专家公开 2015-01-07: 细节向普通白帽子公开 2015-01-17: 细节向实习白帽子公开 2014-12-30: 细节向公众公开
mallbuilder多用户商城系统SQL注入
系统 MallBuilder_v5.8.1.1典型的XFF注入
register.php文件if(!empty($_POST['user'])&&strtolower($_POST['yzm'])==strtolower($_SESSION['auth'])){ if($config['closetype']==2) { //关闭注册 die('access dined!'); } if($config['user_reg_verf']) { //验证码不对 if(trim($_POST['ckyzwt'])!=trim($_SESSION['YZWT'])) die("Verification question error..."); } if($config['inhibit_ip']==1) { //ip禁止注册 $ip=getip(); if(empty($ip)) die("Can not get you IP..."); else { $config['exception_ip']=explode("\r\n",$config['exception_ip']); if(!in_array($ip,$config['exception_ip'])) { $sql="select ip from ".MEMBER." where ip='$ip'"; $db->query($sql); if($db->num_rows()) die("Your IP has been registered..."); unset($sql); } } } if($config['openbbs']==2) { //关联UCHENTER include_once('uc_client/client.php'); $user=trim($_POST['user']); $pass=trim($_POST['password']); $email=trim($_POST['email']); $regtime=time(); $uid = uc_user_register($user, $pass, $email); if($uid>0) { doreg($uid); // } } else doreg();//跟踪doreg函数}register.php文件doreg函数function doreg($guid=NULL){ global $db,$config,$ip; $user=$_POST['user']; $pass=$_POST['password']; $email=$_POST['email']; $ip=getip();$ip=empty($ip)?NULL:$ip; //看看getip()参数 $lastLoginTime=time(); $regtime=date("Y-m-d H:i:s"); $user_reg=$config['user_reg']==3?"1":"2"; $sql="select * from ".MEMBER." where user='$user'"; $db->query($sql); if($db->num_rows()) die("User name is have"); $sql="insert into ".MEMBER." (user,password,ip,lastLoginTime,email,regtime,statu) values ('$user','".md5($pass)."','$ip','$lastLoginTime','$email','$regtime','$user_reg')"; //$ip未过滤进入sql语句,传统的过滤gpc参数的过滤无效 $re=$db->query($sql); $userid=$db->lastid(); $sql="update ".MEMBER." set number='$userid' where userid='$userid'"; $re=$db->query($sql); if($userid) { $points=$config['reg_points']?$config['reg_points']:"0"; $sql="INSERT INTO ".MEMBERCOUNT." (member_id,points) VALUES ('$userid','$points')"; $re=$db->query($sql); if($points>0) { include_once("$config[webroot]/module/member/includes/plugin_member_class.php"); $member=new member(); $flag=$member->add_points($points,'5','',$userid); } if($re)
inclues/convertip.php中getip函数function getip(){ if (isset($_SERVER)) { if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { $realip = $_SERVER['HTTP_X_FORWARDED_FOR']; } elseif (isset($_SERVER['HTTP_CLIENT_IP'])) { $realip = $_SERVER['HTTP_CLIENT_IP']; } else { $realip = $_SERVER['REMOTE_ADDR']; } } else { if (getenv("HTTP_X_FORWARDED_FOR")) { $realip = getenv( "HTTP_X_FORWARDED_FOR"); } elseif (getenv("HTTP_CLIENT_IP")) { $realip = getenv("HTTP_CLIENT_IP"); } else { $realip = getenv("REMOTE_ADDR"); } } return $realip;}
漏洞证明:
另一处用convertip()过滤了,这一处为啥没过滤呢
危害等级:无影响厂商忽略
忽略时间:2014-12-30 14:44
暂无