### 简要描述: ### 详细说明: 发缺陷文件:/app/buyer_order.app.php 在这里有一个cancel_order (取消订单功能) ``` function cancel_order() { //echo 'aaaabbb'; $order_id = isset($_GET['order_id']) ? intval($_GET['order_id']) : 0; if (!$order_id) { echo Lang::get('no_such_order'); return; } $model_order =& m('order'); /* 只有待付款的订单可以取消 */ $order_info = $model_order->get("order_id={$order_id} AND buyer_id=" . $this->visitor->get('user_id') . " AND status " . db_create_in(array(ORDER_PENDING, ORDER_SUBMITTED))); if (empty($order_info)) { echo Lang::get('no_such_order'); return; } //echo 1113332555;exit(); if (!IS_POST) { header('Content-Type:text/html;charset=' . CHARSET); $this->assign('order', $order_info); $this->display('buyer_order.cancel.html'); } else { $model_order->edit($order_id, array('status' => ORDER_CANCELED)); if ($model_order->has_error()) { $this->pop_warning($model_order->get_error()); return; } /* 加回商品库存 */ $model_order->change_stock('+', $order_id); $cancel_reason = (!empty($_POST['remark'])) ?...
### 简要描述: ### 详细说明: 发缺陷文件:/app/buyer_order.app.php 在这里有一个cancel_order (取消订单功能) ``` function cancel_order() { //echo 'aaaabbb'; $order_id = isset($_GET['order_id']) ? intval($_GET['order_id']) : 0; if (!$order_id) { echo Lang::get('no_such_order'); return; } $model_order =& m('order'); /* 只有待付款的订单可以取消 */ $order_info = $model_order->get("order_id={$order_id} AND buyer_id=" . $this->visitor->get('user_id') . " AND status " . db_create_in(array(ORDER_PENDING, ORDER_SUBMITTED))); if (empty($order_info)) { echo Lang::get('no_such_order'); return; } //echo 1113332555;exit(); if (!IS_POST) { header('Content-Type:text/html;charset=' . CHARSET); $this->assign('order', $order_info); $this->display('buyer_order.cancel.html'); } else { $model_order->edit($order_id, array('status' => ORDER_CANCELED)); if ($model_order->has_error()) { $this->pop_warning($model_order->get_error()); return; } /* 加回商品库存 */ $model_order->change_stock('+', $order_id); $cancel_reason = (!empty($_POST['remark'])) ? $_POST['remark'] : $_POST['cancel_reason']; /* 记录订单操作日志 */ $order_log =& m('orderlog'); $order_log->add(array( 'order_id' => $order_id, 'operator' => addslashes($this->visitor->get('user_name')), 'order_status' => order_status($order_info['status']), 'changed_status' => order_status(ORDER_CANCELED), 'remark' => $cancel_reason, 'log_time' => gmtime(), )); ``` 其中$cancel_reason 变量直接写进去了log表当中 我们可以跟踪跟踪add这个函数 他首先调用了orderlog.model.php这个类 该类又继承了BaseModel类,在BaseModel类中可找到 add方法 ``` function add($data, $compatible = false) { if (empty($data) || !$this->dataEnough($data)) { return false; } $data = $this->_valid($data); if (!$data) { $this->_error('no_valid_data'); return false; } $insert_info = $this->_getInsertInfo($data); $mode = $compatible ? 'REPLACE' : 'INSERT'; $this->db->query("{$mode} INTO {$this->table}{$insert_info['fields']} VALUES{$insert_info['values']}"); $insert_id = $this->db->insert_id(); if ($insert_id) { if ($insert_info['length'] > 1) { for ($i = $insert_id; $i < $insert_id + $insert_info['length']; $i++) { $id[] = $i; } } else { /* 添加单条记录 */ $id = $insert_id; } } return $id; } ``` 直接写入数据库了 所以造成sql注入 触发过程, 必须先下订单,然后取消订单,抓包。。。。 如图。。。 [<img src="https://images.seebug.org/upload/201405/220005413107813f7ce93c6620e284ba833061cc.jpg" alt="HNL{@IF`~2V73D`)2D9J$)6.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/220005413107813f7ce93c6620e284ba833061cc.jpg) ### 漏洞证明: [<img src="https://images.seebug.org/upload/201405/220005413107813f7ce93c6620e284ba833061cc.jpg" alt="HNL{@IF`~2V73D`)2D9J$)6.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/220005413107813f7ce93c6620e284ba833061cc.jpg)
