|PHPB2B 最新版sql注射无限充值（官网demo成功）

PHPB2B 最新版sql注射无限充值（官网demo成功）

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述： rt ### 详细说明：看到注册用户处 ``` if(isset($_POST['register'])){ $is_company = false; $if_need_check = false; $register_type = trim($_POST['register']); $register_typename = trim($_POST['typename']); pb_submit_check('data'); $default_membergroupid_res = $pdb->GetRow("SELECT * FROM {$tb_prefix}membertypes WHERE name='".$register_typename."'"); $default_membergroupid = $default_membergroupid_res['default_membergroup_id']; if(empty($default_membergroupid)) $default_membergroupid = $membergroup->field("id","is_default=1"); if ($default_membergroupid_res['id']>1) { $is_company = true; } $member->setParams(); $memberfield->setParams(); $member->params['data']['member']['membergroup_id'] = $default_membergroupid; $time_limits = $pdb->GetOne("SELECT default_live_time FROM {$tb_prefix}membergroups WHERE id={$default_membergroupid}"); $member->params['data']['member']['service_start_date'] = $time_stamp; $member->params['data']['member']['service_end_date'] = $membergroup->getServiceEndtime($time_limits); $member->params['data']['member']['membertype_id'] = ($is_company)?2:1; if($member_reg_auth=="1" || $member_reg_auth!=0 || !empty($G['setting']['new_userauth'])){ $member->params['data']['member']['status'] = 0; $if_need_check = true; }else{ $member->params['data']['member']['status'] = 1; } $updated = false; $updated = $member->Add(); ``` 跟进add ``` function Add() { global $_PB_CACHE, $memberfield, $phpb2b_auth_key, $if_need_check; $error_msg = array(); if (empty($this->params['data']['member']['username']) or empty($this->params['data']['member']['userpass']) or empty($this->params['data']['member']['email'])) return false; $space_name = $this->params['data']['member']['username']; $userpass = $this->params['data']['member']['userpass']; $this->params['data']['member']['userpass'] = $this->authPasswd($this->params['data']['member']['userpass']); if(empty($this->params['data']['member']['space_name'])) $this->params['data']['member']['space_name'] = PbController::toAlphabets($space_name);//Todo: $uip = pb_ip2long(pb_getenv('REMOTE_ADDR')); if(empty($uip)){ pheader("location:".URL."redirect.php?message=".urlencode(L('sys_error'))); } $this->params['data']['member']['last_login'] = $this->params['data']['member']['created'] = $this->params['data']['member']['modified'] = $this->timestamp; $this->params['data']['member']['last_ip'] = pb_get_client_ip('str'); $email_exists = $this->checkUserExistsByEmail($this->params['data']['member']['email']); if ($email_exists) { flash("email_exists", null, 0); } $if_exists = $this->checkUserExist($this->params['data']['member']['username']); if ($if_exists) { flash('member_has_exists', null, 0); }else{ $this->save($this->params['data']['member']); ``` save 函数把我们的post数据做了foreach ``` function save($obj_name, $obj_id, $data) { if (empty($data)) { return false; } foreach ($data as $key=>$val) { if (in_array($key, array('title', 'keyword', 'description'))) { $this->add($obj_id, $obj_name, $key, $val); } ``` 官网测试下我们注册用户时。抓包，添加参数 ``` data%5Bmember%5D%5Bbalance_amount%5D=9999.99 ``` [<img src="https://images.seebug.org/upload/201407/271424070af9c29309822263819ef75080f195a9.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/271424070af9c29309822263819ef75080f195a9.jpg) 成功充值。。 [<img src="https://images.seebug.org/upload/201407/2714243417433e46c1ad0a9b967d43065e3a2c15.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/2714243417433e46c1ad0a9b967d43065e3a2c15.jpg) ### 漏洞证明： [<img src="https://images.seebug.org/upload/201407/2714243417433e46c1ad0a9b967d43065e3a2c15.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/2714243417433e46c1ad0a9b967d43065e3a2c15.jpg)

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™