乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-10-07: 细节已通知厂商并且等待厂商处理中 2015-10-07: 厂商已经确认,细节仅向厂商公开 2015-10-10: 细节向第三方安全合作伙伴开放(绿盟科技、唐朝安全巡航) 2015-12-01: 细节向核心白帽子及相关领域专家公开 2015-12-11: 细节向普通白帽子公开 2015-12-21: 细节向实习白帽子公开 2016-01-11: 细节向公众公开
rt
case 'register': if (isset($_p_pesubmit)) { if($db->pe_num('user', array('user_name'=>pe_dbhold($_g_user_name)))) pe_error('用户名已存在...'); if($db->pe_num('user', array('user_email'=>pe_dbhold($_g_user_email)))) pe_error('邮箱已存在...'); if (strtolower($_s_authcode) != strtolower($_p_authcode)) pe_error('验证码错误'); $sql_set['user_name'] = $_p_user_name; $sql_set['user_pw'] = md5($_p_user_pw); $sql_set['user_email'] = $_p_user_email; $sql_set['user_ip'] = pe_ip(); $sql_set['user_atime'] = $sql_set['user_ltime'] = time(); if ($user_id = $db->pe_insert('user', pe_dbhold($sql_set))) { add_pointlog($user_id, 'reg', $cache_setting['point_reg'], '注册帐号'); $info = $db->pe_select('user', array('user_id'=>$user_id)); $_SESSION['user_idtoken'] = md5($info['user_id'].$pe['host_root']); $_SESSION['user_id'] = $info['user_id']; $_SESSION['user_name'] = $info['user_name']; $_SESSION['pe_token'] = pe_token_set($_SESSION['user_idtoken']); //未登录时的购物车列表入库 if (is_array($cart_list = unserialize($_c_cart_list))) { foreach ($cart_list as $k => $v) { $cart_info['cart_atime'] = time(); $cart_info['product_id'] = $k; $cart_info['product_num'] = $v['product_num']; $cart_info['user_id'] = $info['user_id']; $db->pe_insert('cart', pe_dbhold($cart_info));
用户注册时 ,进行了转义,然后登入时将完整的值带入了session
case 'login': if (isset($_p_pesubmit)) { $sql_set['user_name'] = $_p_user_name; $sql_set['user_pw'] = md5($_p_user_pw); if (strtolower($_s_authcode) != strtolower($_p_authcode)) pe_error('验证码错误'); if ($info = $db->pe_select('user', pe_dbhold($sql_set))) { $db->pe_update('user', array('user_id'=>$info['user_id']), array('user_ltime'=>time())); if (!$db->pe_num('pointlog', " and `user_id` = '{$info['user_id']}' and `pointlog_type` = 'reg' and `pointlog_text` = '登录帐号' and `pointlog_atime` >= '".strtotime(date('Y-m-d'))."'")) { add_pointlog($info['user_id'], 'reg', $cache_setting['point_login'], '登录帐号'); } $_SESSION['user_idtoken'] = md5($info['user_id'].$pe['host_root']); $_SESSION['user_id'] = $info['user_id']; $_SESSION['user_name'] = $info['user_name'];
在 D:/wamp/www/module/index/order.php出库了
case 'comment': $order_id = pe_dbhold($_g_id); $info = $db->pe_select('order', array('order_id'=>$order_id, 'user_id'=>$_s_user_id)); if (!$info['order_id']) pe_error('参数错误...'); $info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id)); if (isset($_p_pesubmit)) { pe_token_match(); if ($info['order_comment']) pe_error('请勿重复评价...'); foreach ($info_list as $k=>$v) { $sql_set[$k]['comment_star'] = intval($_p_comment_star[$v['product_id']]); $sql_set[$k]['comment_text'] = pe_dbhold($_p_comment_text[$v['product_id']]); $sql_set[$k]['comment_atime']= time(); $sql_set[$k]['product_id'] = $v['product_id']; $sql_set[$k]['order_id'] = $order_id; $sql_set[$k]['user_ip'] = pe_dbhold(pe_ip()); $sql_set[$k]['user_id'] = $_s_user_id; $sql_set[$k]['user_name'] = $_s_user_name; if (!$sql_set[$k]['comment_text']) pe_error('评价内容必须填写...'); } if ($db->pe_insert('comment', $sql_set)) { order_callback('comment', $order_id); pe_success('评价成功!');
我们注册个用户 aaaaaaa' ,购买商品后评价,可以看到 单引号带入了。
盲注。
危害等级:中
漏洞Rank:10
确认时间:2015-10-07 09:27
感谢@路人甲 提供代码审计,已将漏洞提交到技术部
暂无