### 简要描述: 20141222 ### 详细说明: 第一处在 api/alipay/alipayto.php 现在的少了以前的验证。 ``` error_reporting(0); require_once("alipay_config.php"); require_once("class/alipay_service.php"); require_once(dirname(dirname(dirname(__FILE__)))."/data/db.config.php"); require_once(dirname(dirname(dirname(__FILE__)))."/plus/config.php"); require_once(dirname(dirname(dirname(__FILE__)))."/include/mysql.class.php"); //看这里 主要是没包含db.safety.php进来 导致了这里面的_POST啥的不转义 不过滤 $db = new mysql($db_config['dbhost'], $db_config['dbuser'], $db_config['dbpass'], $db_config['dbname'], ALL_PS, $db_config['charset']); if(!is_numeric($_POST['dingdan'])){die;} $_COOKIE['uid']=(int)$_COOKIE['uid']; $_POST['is_invoice']=(int)$_POST['is_invoice']; $_POST['balance']=(int)$_POST['balance']; $member_sql=$db->query("SELECT * FROM `".$db_config["def"]."member` WHERE `uid`='".$_COOKIE['uid']."' limit 1");//把自己的账户信息查询出来 $member=mysql_fetch_array($member_sql); if($member['username'] != $_COOKIE['username'] || $member['usertype'] !=...
### 简要描述: 20141222 ### 详细说明: 第一处在 api/alipay/alipayto.php 现在的少了以前的验证。 ``` error_reporting(0); require_once("alipay_config.php"); require_once("class/alipay_service.php"); require_once(dirname(dirname(dirname(__FILE__)))."/data/db.config.php"); require_once(dirname(dirname(dirname(__FILE__)))."/plus/config.php"); require_once(dirname(dirname(dirname(__FILE__)))."/include/mysql.class.php"); //看这里 主要是没包含db.safety.php进来 导致了这里面的_POST啥的不转义 不过滤 $db = new mysql($db_config['dbhost'], $db_config['dbuser'], $db_config['dbpass'], $db_config['dbname'], ALL_PS, $db_config['charset']); if(!is_numeric($_POST['dingdan'])){die;} $_COOKIE['uid']=(int)$_COOKIE['uid']; $_POST['is_invoice']=(int)$_POST['is_invoice']; $_POST['balance']=(int)$_POST['balance']; $member_sql=$db->query("SELECT * FROM `".$db_config["def"]."member` WHERE `uid`='".$_COOKIE['uid']."' limit 1");//把自己的账户信息查询出来 $member=mysql_fetch_array($member_sql); if($member['username'] != $_COOKIE['username'] || $member['usertype'] != $_COOKIE['usertype']||md5($member['username'].$member['password'].$member['salt'])!=$_COOKIE['shell']){ //验证登录信息 echo '登录信息验证错误,请重新登录!';die; } $sql=$db->query("select * from `".$db_config["def"]."company_order` where `order_id`='".$_POST['dingdan']."' AND `order_price`>=0");//_POST['dingdan']被转型了 这里是把自己的订单信息查询出来 $row=mysql_fetch_array($sql); if(!$row['uid'] || $row['uid']!=$_COOKIE['uid']) //这里验证了是不是自己的订单 不是自己的订单或者没有这个订单 就退出了 { die; } if((int)$_POST['is_invoice']=='1'&&$config["sy_com_invoice"]){ $invoice_title=",`is_invoice`='".$_POST['is_invoice']."'"; if($_POST['linkway']=='1'){ $com_sql=$db->query("select `linkman`,`linktel`,`address` from `".$db_config["def"]."company` where `uid`='".$_COOKIE['uid']."'");//查询余额 $company=mysql_fetch_array($com_sql); $link=",'".$company['linkman']."','".$company['linktel']."','".$company['address']."'"; $up_record=",`link_man`='".$company['linkman']."',`link_moblie`='".$company['linktel']."',`address`='".$company['address']."'"; }else{ $link=",'".$_POST['link_man']."','".$_POST['link_moblie']."','".$_POST['address']."'"; $up_record=",`link_man`='".$_POST['link_man']."',`link_moblie`='".$_POST['link_moblie']."',`address`='".$_POST['address']."'";//因为没有包含db.safety.php进来 这里全都可以引入单引号。。 } $record_sql=$db->query("select `id` from `".$db_config["def"]."invoice_record` where `order_id`='".$_POST['dingdan']."' and `uid`='".$_COOKIE['uid']."'"); $record=mysql_fetch_array($record_sql); if($record['id']){ $upr_sql=$db->query("update `".$db_config["def"]."invoice_record` set `title`='".trim($_POST['invoice_title'])."',`status`='0',`addtime`='".time()."'".$up_record." where `id`='".$record['id']."'"); mysql_fetch_array($upr_sql); }else{ $db->query("insert into `".$db_config["def"]."invoice_record`(order_id,uid,title,status,addtime,`link_man`,`link_moblie`,`address`) values('".$row['order_id']."','".$_COOKIE['uid']."','".trim($_POST['invoice_title'])."','0','".time()."'".$link.")"); } } ``` 再来看看哪里下订单。 ``` function dingdan_action(){ if($_POST['price']){ if($_POST['comvip']){ $comvip=(int)$_POST['comvip']; $ratinginfo = $this->obj->DB_select_once("company_rating","`id`='".$comvip."'"); $price = $ratinginfo['service_price']; $data['type']='1'; }elseif($_POST['price_int']){ $integral=intval($_POST['price_int']); $price = $integral/$this->config['integral_proportion']; $data['type']='2'; }elseif($_POST['price_msg']){ $integral=intval($_POST['price_msg']); $price = $integral/$this->config['integral_msg_proportion']; $data['type']='5'; }else{ $this->obj->ACT_layer_msg("参数不正确,请正确填写!",8,$_SERVER['HTTP_REFERER']); } if(($data['type']=='2'||$data['type']=='5')&&$integral<1){ $this->obj->ACT_layer_msg("请正确填写购买数量!",8,$_SERVER['HTTP_REFERER']); } $dingdan=mktime().rand(10000,99999);//不可控 $data['order_id']=$dingdan; $data['order_price']=$price; $data['order_time']=mktime(); $data['order_state']="1"; $data['order_remark']=trim($_POST['remark']); $data['uid']=$this->uid; $data['rating']=$_POST['comvip']; $data['integral']=$integral; $id=$this->obj->insert_into("company_order",$data);//入库 ``` 虽然订单号不可控 但是入库后看交易记录能看到 这里我们把price弄成0 直接不去定义它就行了。 [<img src="https://images.seebug.org/upload/201412/25113423fa837931af369e2a0637fd1342b983cc.jpg" alt="p15.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/25113423fa837931af369e2a0637fd1342b983cc.jpg) 复制一个订单号出来 [<img src="https://images.seebug.org/upload/201412/2511350208cb55067bf94a74eb0fa2fd1dac89b3.jpg" alt="p16.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/2511350208cb55067bf94a74eb0fa2fd1dac89b3.jpg) 可以引入任意字符 没包含过滤文件进来嘛 第2处 在model/redeem.class.php中 ``` function list_action(){ $this->public_action(); $where="`nid`='".$_GET['id']."'"; if($_GET['order']) //当设置order后 { $where.=" order by ".$_GET['t']." ".$_GET['order'];//直接带入无限制 无单引号 $urlarr['order']=$_GET['order']; $urlarr['t']=$_GET['t']; }else{ $where.=" order by `id` desc"; } $urlarr['c']="list"; $urlarr["id"]=$_GET['id']; $urlarr['page']="{{page}}"; $pageurl=$this->url("index",$_GET['m'],$urlarr); $rows=$this->get_page("reward",$where,$pageurl,13);//直接把where带入查询 $this->yunset("rows",$rows); $row=$this->obj->DB_select_all("reward_class"); $this->yunset("row",$row); $this->seo("redeem"); $this->yun_tpl(array('list')); } ``` 第3处 也是这个文件 ``` function show_action(){ $this->public_action(); $where="`gid`='".$_GET['id']."'"; if($_GET['order']) { $where.=" order by ".$_GET['t']." ".$_GET['order']; $urlarr['order']=$_GET['order']; $urlarr['t']=$_GET['t']; }else{ $where.=" order by `id` desc"; } $urlarr['c']="show"; $urlarr["id"]=$_GET['id']; $urlarr['page']="{{page}}"; $pageurl=$this->url("index",$_GET['m'],$urlarr); $jilu=$this->get_page("change",$where,$pageurl,13); $this->yunset("jilu",$jilu); ``` 跟第一个差不多 ### 漏洞证明: [<img src="https://images.seebug.org/upload/201412/2511350208cb55067bf94a74eb0fa2fd1dac89b3.jpg" alt="p16.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/2511350208cb55067bf94a74eb0fa2fd1dac89b3.jpg)
