当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-081332

漏洞标题:mallbuilder多用户商城系统越权漏洞&跨站漏洞

相关厂商:shop-builder.cn

漏洞作者: nextdoor

提交时间:2014-10-31 11:23

修复时间:2014-12-30 14:44

公开时间:2014-12-30 14:44

漏洞类型:非授权访问/权限绕过

危害等级:中

自评Rank:10

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-10-31: 细节已通知厂商并且等待厂商处理中
2014-11-05: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2014-12-30: 细节向核心白帽子及相关领域专家公开
2015-01-09: 细节向普通白帽子公开
2015-01-19: 细节向实习白帽子公开
2014-12-30: 细节向公众公开

简要描述:

越权漏洞可以遍历他人收货地址
跨站漏洞可以会员cookie一处
和可以盗取管理员cookie一处

详细说明:

版本系统 MallBuilder_v5.8.1.1
官方demo v6.9.3版本有效
0x01 越权漏洞
可以遍历他人收货地址
module\member\admin_orderadder.php

//--修改收货地址
if($_POST['submit']=='edit')
{
	$flag=$orderadder->edit_orderadder($_POST['edid']); //跟踪edit_orderadder函数
	if(is_numeric($_POST['i']) and $_POST['ty']=='tg')
	{
		$admin->msg($config['weburl'].'/?m=tg&s=order&id='.$_POST['i']);  	
	}
	elseif($_POST['ty']=='pro')
	{
		$admin->msg($config['weburl'].'/?m=product&s=confirm_order');  	
	}
	else
	{
		$admin->msg($config['weburl'].'/main.php?m=member&s=admin_orderadder');  
	}
}
//--删除收货地址
if(!empty($_GET['edid'])&&is_numeric($_GET['edid']))
{
	$flag=$orderadder->del_orderadder($_GET['edid']);  //del_orderadder函数
	$admin->msg($config['weburl'].'/main.php?m=member&s=admin_orderadder');
}
//--显示收货地址
if(!empty($_GET['id'])&&is_numeric($_GET['id']))
	$tpl->assign("de",$orderadder->get_orderadder($_GET['id']));
	
$tpl->assign("list",$orderadder->get_orderadderlist());


module\member\includes\plugin_orderadder_class.php

function edit_orderadder($id=NULL)
	{
		global $buid;
		if($id)
		{
			$default=$_POST['default']?"2":"1";
			$_POST['zip']=$_POST['zip']?$_POST['zip']:NULL;
			if($default=='2')
			{
				$sql="UPDATE ".DELIVERYADDR." SET `default` = '1' WHERE  `userid` ='$buid' ";
				$this -> db->query($sql);	
			}
			$sql="UPDATE ".DELIVERYADDR." SET `name` = '$_POST[name]',`provinceid` = '$_POST[province]',`cityid` = '$_POST[city]', `areaid` = '$_POST[area]', `area` = '$_POST[t]', `address` = '$_POST[address]',`zip` = '$_POST[zip]',`tel` = '$_POST[tel]',`mobile` = '$_POST[mobile]',`default` = '$default' WHERE  `id` ='$id' "; //仅用id参数验证,存在越权操作,可以任意变量他人收货地址
			$this -> db->query($sql);	
			return $id;
		}
	}
function del_orderadder($id=NULL)
	{
		global $buid;	
		if(is_numeric($id))
		{
			$tel=$_POST['tel1'].'-'.$_POST['tel2'].'-'.$_POST['tel3'];
			$sql="delete from ".DELIVERYADDR."  where id=$id "; //仅用id参数验证,
			$flag=$this -> db->query($sql);		 
			return $flag;
		}
	}


0x02跨站漏洞
可以盗取会员cookie,这个是在空间评论处的动态,只有加他为好友后评论就可以了,导致
只要用户登陆就会中招
sns.php文件

if(!empty($_POST['act']))
	{
		if($_POST['act']=='comment')
		{
			$sns->add_sns_comment($_POST['act']); //跟踪add_sns_comment函数
		}
		else
		{
			$sns->add_sns($_POST['act']);
		}
	}


plugin_sns_class.php文件

function add_sns_comment()
	{
		global $buid,$config;
		
		$sql="select logo,user from ".MEMBER."  WHERE userid='$buid'";
		$this->db->query($sql);
		$re=$this->db->fetchRow();
		
		$member_id = $buid;
		$member_name = $re['user'];
		$original_id = $_POST['commentid'];
		$create_time  = time();
		$content = $_POST['commentcontent']?$_POST['commentcontent']:"";//接受post的content
		if($content)
		{
			$sql="insert into ".SNSCOMMENT." (original_id,member_id,member_name,content,addtime) VALUES ('$original_id','$member_id','$member_name','$content','$create_time')"; //输入点$content未过滤
			$this->db->query($sql);
			$this->db->query("update ".SNS." set comment_count=comment_count+1 where id='$original_id'");
		}
	}
输出点在这个函数中
function get_sns()
	{
		global $buid,$config;
		
		$sql="select fuid from ".FRIEND." where uid=$buid order by addtime desc";
		$this->db->query($sql);
		$re=$this->db->getRows();
		
		$myfriend=$buid;
		
		foreach($re as $val)
		{
			$myfriend.=','.$val['fuid'];
		}
		
		$sql="select a.* , b.member_id as ouid , b.member_name as ouser , b.title as otitle, b.create_time as ocreate_time, b.content as ocontent,b.img as oimg,b.type as otype from ".SNS." a left join ".SNS." b on a.original_id= b.id where a.member_id in ($myfriend) order by a.create_time desc";
		$this->db->query($sql);
		$re=$this->db->getRows();
		if(!$re)
		{
			$sql="select a.* , b.member_id as ouid , b.member_name as ouser , b.title as otitle, b.create_time as ocreate_time, b.content as ocontent,b.img as oimg,b.type as otype from ".SNS." a left join ".SNS." b on a.original_id= b.id order by rand() , a.create_time desc";
		}
		$str="";
		include_once($config['webroot']."/includes/page_utf_class.php");
		include_once($config['webroot']."/module/sns/face.php");
	
		$page = new Page;
		$page->listRows=10;
		
		if (!$page->__get('totalRows'))
		{
			$this->db->query($sql);
			$page->totalRows = $this->db->num_rows();
		}
		$p=$_GET['page']-1>0?$_GET['page']-1:"0";
		$page->firstRow=$p*$page->listRows;
        $sql .= "  limit ".$page->firstRow.",".$page->listRows;
		$this->db->query($sql);
		$re=$this->db->getRows();
		
		foreach($face_array as $key=>$val)
		{
			$searcharray[] ="/\/".$key."/";
			$replacearray[] = "<img align='absmiddle' src='image/face/".$val."'>";
		}
		
		foreach($re as $val)
		{
			$comment=$con=$del=$a=$img="";
			$sql="select logo,name from ".MEMBER." WHERE userid='$val[member_id]'";
			$this->db->query($sql);
			$a=$this->db->fetchRow();
			$val['member_img'] = $a['logo']?$a['logo']:"image/default/user_admin/default_user_portrait.gif";
			$val['member_name']=$a['name']?$a['name']:$val['member_name'];
			
			$sql="select * from ".SNSCOMMENT."  WHERE original_id='$val[id]' order by id desc";
			$this->db->query($sql);
			$ss=$this->db->getRows();
			$val['title']=preg_replace($searcharray,$replacearray,$val['title']);
			if($ss)
			{
				$comment="<div class='commnet'>";
				foreach($ss as $list)
				{
					$comment.="<div class='commnet_list'><dl><dt><a target=\"_blank\" href=\"home.php?uid=".$list['member_id']."\">$list[member_name]</a> $list[content]</dt>
<dd>".date('Y-m-d',$list['addtime'])."</dd></div>";
				}
				$comment.="</div>";
			}
			if($val['original_id'])
			{
				$con="<div class=\"quote-wrap\">";
				if($val['original_status']==1)
				{
					$con.="原文已删除";
				}
				else
				{
					$val['otitle']=preg_replace($searcharray,$replacearray,$val['otitle']);
					if($val['oimg'])
					{
						$oimg="<div class=\"sns-img clearfix\"><ul>";
						$opic=explode(',',$val['oimg']);
						foreach($opic as $op)
						{
							if($val['otype']=='2')
							{
								$oimg.="<li><img class=\"small\" src=\"".$op."_120X120.jpg\"></li>";	
							}
							else
							{
								$oimg.="<li><img src=\"".$op."\"></li>";
							}
						}
						$oimg.="</ul></div>";
					}
					$con.="<p><a target=\"_blank\" href=\"home.php?uid=".$val['ouid']."\">".$val['ouser']."</a></p><div class=\"sns-text\"><div class=\"sns-title\"><span>".$val['otitle']."</span>".$oimg."</div></div><div class=\"sns-extra\"><a class=\"sns-time\" title=\"".date('Y年m月d日 H:i',$val['ocreate_time'])."\" href=\"#\">".date('m月d日 H:i',$val['ocreate_time'])."</a></div>";
					
					
				}
				$con.="</div>";
			}
			$fd_forward="<span><a data-param=\"{&quot;bid&quot;:&quot;".$val['id']."&quot;}\" genre=\"sns_forward\" href=\"javascript:void(0);\">转发</a></span><span><a data-param=\"{&quot;bid&quot;:&quot;".$val['id']."&quot;}\" genre=\"sns_comment\" href=\"javascript:void(0);\">评论</a></span>";
			$del="";
			if($val['member_id']==$buid)
			{
				$del="<div class=\"more-action\"><a data-param=\"{&quot;bid&quot;:&quot;".$val['id']."&quot;}\" data_type=\"fd_del\" href=\"javascript:void(0);\"></a></div>";
			}
			if($val['img'])
			{
				$img="<div class=\"sns-img clearfix\"><ul>";
				$pic=explode(',',$val['img']);
				foreach($pic as $p)
				{
					if($val['type']=='2')
					{
						$img.="<li><img class=\"small\" src=\"".$p."_120X120.jpg\"></li>";	
					}
					else
					{
						$img.="<li><img src=\"".$p."\"></li>";
					}
				}
				$img.="</ul></div>";
			}
			$str.="<div class=\"sns-item\"><div class=\"sns-avatar\"><a target=\"_blank\" href=\"shop.php?uid=".$val['member_id']."\"><img width=\"60\" height=\"60\" src=\"".$val['member_img']."\" ></a></div>".$del."<div class=\"sns-wrap\"><p class=\"clearfix\"><a target=\"_blank\" href=\"home.php?uid=".$val['member_id']."\"><b>".$val['member_name']."</b></a></p><div class=\"sns-text\"><div class=\"sns-title\">".$val['title']."</div>".$img."</div>".$con."<div class=\"sns-extra\"><a class=\"sns-time\" title=\"".date('Y年m月d日 H:i',$val['create_time'])."\" href=\"#\">".date('m月d日 H:i',$val['create_time'])."</a><span class=\"sns-action\">".$fd_forward."</span></div></div><div class='clear'></div>".$comment."</div>"; //未过滤
		}
		if(($_GET['page']+1)<= ceil($page->totalRows/$page->listRows))
		{
			$str.="<div id=more></div>";
		}
		return $str;


0x03这个存在于收货地址处
module\member\admin_orderadder.php

if($_POST['submit']=='edit')
{
	$flag=$orderadder->edit_orderadder($_POST['edid']); 
	if(is_numeric($_POST['i']) and $_POST['ty']=='tg')
	{
		$admin->msg($config['weburl'].'/?m=tg&s=order&id='.$_POST['i']);  	
	}
	elseif($_POST['ty']=='pro')
	{
		$admin->msg($config['weburl'].'/?m=product&s=confirm_order');  	
	}
	else
	{
		$admin->msg($config['weburl'].'/main.php?m=member&s=admin_orderadder');  
	}
}


module\member\includes\plugin_orderadder_class.php

function edit_orderadder($id=NULL)
	{
		global $buid;
		if($id)
		{
			$default=$_POST['default']?"2":"1";
			$_POST['zip']=$_POST['zip']?$_POST['zip']:NULL;
			if($default=='2')
			{
				$sql="UPDATE ".DELIVERYADDR." SET `default` = '1' WHERE  `userid` ='$buid' ";
				$this -> db->query($sql);	
			}
			$sql="UPDATE ".DELIVERYADDR." SET `name` = '$_POST[name]',`provinceid` = '$_POST[province]',`cityid` = '$_POST[city]', `areaid` = '$_POST[area]', `area` = '$_POST[t]', `address` = '$_POST[address]',`zip` = '$_POST[zip]',`tel` = '$_POST[tel]',`mobile` = '$_POST[mobile]',`default` = '$default' WHERE  `id` ='$id' "; 
//post接受的参数未过滤
			$this -> db->query($sql);	
			return $id;
		}
	}


输出点module\member\admin\delivery_address.php中

$sql="select a.*,b.user from ".DELIVERYADDR." a left join ".MEMBER." b on a.userid=b.userid ";
	//================================
	include_once("../includes/page_utf_class.php");
	$page = new Page;
	$page->listRows=10;
	if (!$page->__get('totalRows')){
		$db->query($sql);
		$page->totalRows = $db->num_rows();
	}
	$sql .= "  limit ".$page->firstRow.",".$page->listRows;
	$de['page'] = $page->prompt();
	//=================================
	$db->query($sql);
	$de['list']=$db->getRows(); //未进行有效过滤形成跨站
	
	$tpl->assign("de",$de);
	$tpl->display("delivery_address.htm");

漏洞证明:

越权官网证明
http://democn.mall-builder.com/main.php?m=member&s=admin_orderadder&id=188&type=edit
更改id参数即可遍历全部收货地址

mall越权一.PNG


mall越权二.PNG


mall越权三.PNG


跨站攻击,为了不影响测试用例,官网中测试可以插入标签,未做输出显示过滤
下面在自己搭建的平台演示

Xss2.PNG


Xss3.PNG


Xss1.PNG

修复方案:

过滤

版权声明:转载请注明来源 nextdoor@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-12-30 14:44

厂商回复:

最新状态:

暂无