### 简要描述: CuuMall免费网上商城系统基于企业级MVC技术架构,安全、稳定,可保证同时在线人数达10000人左右,能适应不同领域的公司企业,文件缓存机制、数据库缓存机制,保证系统稳定运行,多种功能以满足不同客户网上开店的需求。 ### 详细说明: ``` // 获取某个Cookie值 static function get($name) { $value = $_COOKIE[C('COOKIE_PREFIX').$name]; $value = unserialize(base64_decode($value)); return $value; } ``` 获取cookie操作,只是做了一次base解码。 再来看cookie的账号登陆: ``` $co = new Cookie( ); $username = ($co->get( "GUESTCOOK" )."mall-m-name" ); $password = ($co->get( "GUESTCOOK" )."mall-m-pass" ); if ( empty( $username ) || empty( $password ) ) { $this->assign( "waitSecond", 3 ); $this->assign( "msgTitle", "请登录后购买" ); $this->assign( "jumpUrl", "__APP__/home/login" ); $this->error( "请登录后购买" ); exit( ); } $m_member = new Model( "m_member" ); $d_m_member = $m_member->where( "username='".$username."'" )->find( ); if ( empty( $d_m_member ) ) { $this->assign( "waitSecond", 3 ); $this->assign( "msgTitle", "请登录后购买" ); $this->assign( "jumpUrl", "__APP__/home/login" ); $this->error( "请登录后购买" ); exit( ); } if ( $password !=...
### 简要描述: CuuMall免费网上商城系统基于企业级MVC技术架构,安全、稳定,可保证同时在线人数达10000人左右,能适应不同领域的公司企业,文件缓存机制、数据库缓存机制,保证系统稳定运行,多种功能以满足不同客户网上开店的需求。 ### 详细说明: ``` // 获取某个Cookie值 static function get($name) { $value = $_COOKIE[C('COOKIE_PREFIX').$name]; $value = unserialize(base64_decode($value)); return $value; } ``` 获取cookie操作,只是做了一次base解码。 再来看cookie的账号登陆: ``` $co = new Cookie( ); $username = ($co->get( "GUESTCOOK" )."mall-m-name" ); $password = ($co->get( "GUESTCOOK" )."mall-m-pass" ); if ( empty( $username ) || empty( $password ) ) { $this->assign( "waitSecond", 3 ); $this->assign( "msgTitle", "请登录后购买" ); $this->assign( "jumpUrl", "__APP__/home/login" ); $this->error( "请登录后购买" ); exit( ); } $m_member = new Model( "m_member" ); $d_m_member = $m_member->where( "username='".$username."'" )->find( ); if ( empty( $d_m_member ) ) { $this->assign( "waitSecond", 3 ); $this->assign( "msgTitle", "请登录后购买" ); $this->assign( "jumpUrl", "__APP__/home/login" ); $this->error( "请登录后购买" ); exit( ); } if ( $password != $d_m_member['password'] ) { $this->assign( "waitSecond", 3 ); $this->assign( "msgTitle", "请登录后购买" ); $this->assign( "jumpUrl", "__APP__/home/login" ); $this->error( "请登录后购买" ); exit( ); } ``` PS:由于文件加密的,这里没有解密完全,导致这边代码有点怪异。但不影响审计 从cookie中获取到username和cookie以后,应该做了某一个操作(具体就不知道了,代码看不出来),然后就带入到了数据库中执行,从官网测试上看,这边肯定不是转义,应该是一次去空操作。 这样登录的sql注入产生了,这个漏洞在大多数需要登录的文件中都存在。等于获取了一个session。 再来看付款代码: ``` $username = ( $coo->get( "GUESTCOOK" )."mall-m-name" ); $mem = new Model( "m_member" ); $d_mem = $mem->where( "username='".$username."'" )->find( ); if ( $money <= $d_mem['money'] ) { $data['money'] = $d_mem['money'] - $money; $data['xiaofei'] = $d_mem['xiaofei'] + $money; $data['jifen'] = $d_mem['jifen'] + $jifen; $mem->where( "username='".$username."'" )->save( $data ); ``` 又是一个cookie 注入,这样我们就可以直接控制$d_mem的值,想买任何都系,直接控制money字段就行了。 最后还保存了data,达到刷钱地步。 如果有体现功能,那真是想要多少钱就是多少钱啊 ### 漏洞证明: [<img src="https://images.seebug.org/upload/201409/29183926494bd1f2cd2079fc0176811dcbbe5b91.png" alt="BaiduHi_2014-9-29_18-18-41.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/29183926494bd1f2cd2079fc0176811dcbbe5b91.png)
