VULHUB ™

### 简要描述： PHPSHE B2C商城系统 v1.2(build 20140519 UTF8) ### 详细说明： 在index.php中 ``` $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0); if (!$db->pe_num('iplog', array('iplog_ip'=>pe_ip(), 'iplog_adate'=>date('Y-m-d')))) { ``` ``` function pe_ip() { if (isset($_SERVER)){ if (isset($_SERVER["HTTP_X_FORWARDED_FOR"])){ $realip = $_SERVER["HTTP_X_FORWARDED_FOR"]; } else if (isset($_SERVER["HTTP_CLIENT_IP"])) { $realip = $_SERVER["HTTP_CLIENT_IP"]; } else { $realip = $_SERVER["REMOTE_ADDR"]; } } else { if (getenv("HTTP_X_FORWARDED_FOR")){ $realip = getenv("HTTP_X_FORWARDED_FOR"); } else if...

### 简要描述： PHPSHE B2C商城系统 v1.2(build 20140519 UTF8) ### 详细说明： 在index.php中 ``` $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0); if (!$db->pe_num('iplog', array('iplog_ip'=>pe_ip(), 'iplog_adate'=>date('Y-m-d')))) { ``` ``` function pe_ip() { if (isset($_SERVER)){ if (isset($_SERVER["HTTP_X_FORWARDED_FOR"])){ $realip = $_SERVER["HTTP_X_FORWARDED_FOR"]; } else if (isset($_SERVER["HTTP_CLIENT_IP"])) { $realip = $_SERVER["HTTP_CLIENT_IP"]; } else { $realip = $_SERVER["REMOTE_ADDR"]; } } else { if (getenv("HTTP_X_FORWARDED_FOR")){ $realip = getenv("HTTP_X_FORWARDED_FOR"); } else if (getenv("HTTP_CLIENT_IP")) { $realip = getenv("HTTP_CLIENT_IP"); } else { $realip = getenv("REMOTE_ADDR"); } } return $realip; ``` 未过滤。 XFF可控。 带入查询 造成注入。 ### 漏洞证明： [<img src="https://images.seebug.org/upload/201405/23212103cd7297468d859026bceb761961cc56a6.jpg" alt="ps2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/23212103cd7297468d859026bceb761961cc56a6.jpg) 报错了。。 [<img src="https://images.seebug.org/upload/201405/23212121c56262f0cf2b74df4ac43a5cb0723272.jpg" alt="ps3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/23212121c56262f0cf2b74df4ac43a5cb0723272.jpg) 带入查询。 可注入了。