|LebiShop商城系统最新版设计缺陷及XSS盲打后台

LebiShop商城系统最新版设计缺陷及XSS盲打后台

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述： LebiShop商城系统最新版设计缺陷及XSS盲打后台 ### 详细说明： LebiShop商城系统最新版验证码存在设计缺陷可无视验证码，及存储型XSS盲打后台验证码设计缺陷： LebiShop商城系统有两者验证码验证方式 1、直接判断POST提交的验证码已经COOKIE中的验证码是否相等如前台普通用户登陆时 ``` // Shop.Ajax.Ajax_user public void User_Login() { string verifycode = RequestTool.RequestString("verifycode"); string code = CookieTool.GetCookieString("CheckCodef"); string UserName = RequestTool.RequestSafeString("UserName"); string PWD = RequestTool.RequestSafeString("Password"); if (code != verifycode) { base.Response.Write("{\"msg\":\"" + base.Tag("验证码错误") + "\"}"); return; } ``` 直接判断verifycode和CheckCodef是否相等这里我们在发送请求时，将POST和COOKIE中的值设置为一样即可绕过 2、判断COOKIE的某值是否为空，然后在进行第1中方式的验证如后台登陆 ``` // Shop.Admin.Ajax.Ajax_login public void AdminLogin() { string userName = RequestTool.RequestString("userName"); string UserPWD = RequestTool.RequestString("UserPWD"); string code = RequestTool.RequestString("code"); int saveusername = RequestTool.RequestInt("saveusername", 0); int type = RequestTool.RequestInt("type", 0); if (CookieTool.GetCookieString("AdminLoginError") != "") { string ccode = CookieTool.GetCookieString("CheckCodef"); if (ccode != code) { base.Response.Write(Language.Tag("验证码错误", this.CurrentLanguage.Code)); return; } } ``` 先判断COOKIE中的AdminLoginError是否为空，在进行code的判断这里在发送请求时，直接将COOKIE中的AdminLoginError设置为空即可绕过验证码 XSS盲打后台很多地方都存在盲打后台的地方，全局只进行了<，>，'三个符号的处理但是在获取X-Forwarded-For时，没有使用全局处理，直接赋值如在商家用户登陆处 ``` // Shop.Supplier.Ajax.Ajax_user public void User_Login() { string msg = ""; string userName = RequestTool.RequestSafeString("userName"); string UserPWD = RequestTool.RequestSafeString("UserPWD"); string code = RequestTool.RequestString("code"); string logintype = RequestTool.RequestString("logintype", "supplier"); int saveusername = RequestTool.RequestInt("saveusername", 0); if (CookieTool.GetCookieString("SupplierLoginError") != "") { string ccode = CookieTool.GetCookieString("CheckCodef"); if (ccode != code) { base.Response.Write(Language.Tag("验证码错误", base.CurrentLanguage.Code)); return; } } if (EX_User.UserLogin(userName, UserPWD, true)) { this.CurrentUser = EX_User.CurrentUser(); if (EX_Supplier.Login(this.CurrentUser, logintype, 0, out msg)) { if (saveusername == 1) { CookieTool.SetCookieString("SupplierUserName", userName, 1440); CookieTool.SetCookieString("saveusername", "1", 1440); } else { CookieTool.SetCookieString("SupplierUserName", "", -1); CookieTool.SetCookieString("saveusername", "", -1); } Log.Add("登陆系统", "Login", this.CurrentUser.id.ToString(), this.CurrentUser.UserName); msg = "OK"; } else { msg = Language.Tag("账号状态异常", base.CurrentLanguage.Code); } } else { msg = Language.Tag("用户名或密码错误", base.CurrentLanguage.Code); base.Response.Cookies.Add(new HttpCookie("SupplierLoginError", "1")); Log.Add("登陆系统", "Login", "", this.CurrentUser, "[" + userName + "]用户名或密码错误"); } base.Response.Write(msg); } ``` 这里是否登录成功都会有log记录跟进Log.Add函数 ``` // Shop.Bussiness.Log public static void Add(string content, string tablename, string keyid, string description) { EX_User.CurrentUser(); EX_Admin.CurrentAdmin(); Log.Add(content, tablename, keyid, null, null, null, description); } ``` 继续跟进 ``` // Shop.Bussiness.Log public static void Add(string content, string tablename, string keyid, Lebi_User user, Lebi_Administrator admin, Lebi_Supplier supplier, string description) { Lebi_Log log = new Lebi_Log(); if (admin != null) { log.Admin_id = admin.id; log.AdminName = admin.UserName; } if (user != null) { log.User_id = user.id; log.UserName = user.UserName; } if (supplier != null) { log.Supplier_id = supplier.id; log.Supplier_SubName = supplier.SubName; } if (keyid.Length > 500) { keyid = keyid.Substring(0, 500); } log.Content = content; log.Keyid = keyid; log.TableName = tablename; log.URL = RequestTool.GetRequestUrlNonDomain(); log.RefererURL = RequestTool.GetUrlReferrerNonDomain(); if (description.Length > 500) { log.Description = description.Substring(0, 500); } else { log.Description = description; } log.IP_Add = RequestTool.GetClientIP(); B_Lebi_Log.Add(log); } ``` 到最后，注意这里log.IP_Add = RequestTool.GetClientIP(); ``` // Shop.Tools.RequestTool public static string GetClientIP() { string result2; try { string result = HttpContext.Current.Request.ServerVariables["HTTP_X_FORWARDED_FOR"]; if (result == null || result == string.Empty) { result = HttpContext.Current.Request.ServerVariables["REMOTE_ADDR"]; } if (result == null || result == string.Empty) { result = HttpContext.Current.Request.UserHostAddress; } result2 = result; } catch { result2 = ""; } return result2; } ``` 这里直接从HTTP_X_FORWARDED_FOR获取了内容，然后进入了log中 ### 漏洞证明：将X-Forwarded-For设置为：<img src=1 onerror=alert(1)> 然后随便登录 [<img src="https://images.seebug.org/upload/201501/201849019b3e51adb52997eb12d7c6e8c3caa596.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/201849019b3e51adb52997eb12d7c6e8c3caa596.png) 此时log中已经记录的登陆信息在后台配置，操作日志中： [<img src="https://images.seebug.org/upload/201501/201849557969f777532b7169a37c5f2c8873d38a.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/201849557969f777532b7169a37c5f2c8873d38a.png) 成功跨入后台

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™