### 简要描述: 过滤不严。 ### 详细说明: 上次是alipay 这次来个paypal的。 当然 tenpay也有这洞 paypal 和 tenpay的一起说了。 api\pay\paypal\notify.php中 ``` require '../../../common.inc.php'; $_POST = $_DPOST; if(!$_POST) exit('fail'); $bank = 'paypal'; $PAY = cache_read('pay.php'); if(!$PAY[$bank]['enable']) exit('fail'); //得开启这种支付方式。 if(!$PAY[$bank]['partnerid']) exit('fail'); ``` ``` $item_name = $_POST['item_name']; $item_number = $_POST['item_number']; $payment_status = $_POST['payment_status']; $payment_amount = $_POST['mc_gross']; $payment_currency = $_POST['mc_currency']; $txn_id = $_POST['txn_id']; $receiver_email = $_POST['receiver_email']; $payer_email = $_POST['payer_email']; $charge_status = 0; $sql="SELECT * FROM {$DT_PRE}finance_charge WHERE itemid='$item_number' AND status=0"; $r = $db->get_one("SELECT * FROM {$DT_PRE}finance_charge WHERE itemid='$item_number' AND status=0"); ``` paypal无过滤。 连验证都没验证。 直接注入 ———————————————————————————————————————— tenpay ``` if($resHandler->isTenpaySign()) { //通知id $notify_id...
### 简要描述: 过滤不严。 ### 详细说明: 上次是alipay 这次来个paypal的。 当然 tenpay也有这洞 paypal 和 tenpay的一起说了。 api\pay\paypal\notify.php中 ``` require '../../../common.inc.php'; $_POST = $_DPOST; if(!$_POST) exit('fail'); $bank = 'paypal'; $PAY = cache_read('pay.php'); if(!$PAY[$bank]['enable']) exit('fail'); //得开启这种支付方式。 if(!$PAY[$bank]['partnerid']) exit('fail'); ``` ``` $item_name = $_POST['item_name']; $item_number = $_POST['item_number']; $payment_status = $_POST['payment_status']; $payment_amount = $_POST['mc_gross']; $payment_currency = $_POST['mc_currency']; $txn_id = $_POST['txn_id']; $receiver_email = $_POST['receiver_email']; $payer_email = $_POST['payer_email']; $charge_status = 0; $sql="SELECT * FROM {$DT_PRE}finance_charge WHERE itemid='$item_number' AND status=0"; $r = $db->get_one("SELECT * FROM {$DT_PRE}finance_charge WHERE itemid='$item_number' AND status=0"); ``` paypal无过滤。 连验证都没验证。 直接注入 ———————————————————————————————————————— tenpay ``` if($resHandler->isTenpaySign()) { //通知id $notify_id = $resHandler->getParameter("notify_id"); //通过通知ID查询,确保通知来至财付通 //创建查询请求 $queryReq = new RequestHandler(); $queryReq->init(); $queryReq->setKey($key); $queryReq->setGateUrl("https://gw.tenpay.com/gateway/simpleverifynotifyid.xml"); $queryReq->setParameter("partner", $partner); $queryReq->setParameter("notify_id", $notify_id); //通信对象 ``` tenpay里面多了个验证 不过可以轻松通过。、 ``` $transaction_id = $resHandler->getParameter("transaction_id"); //金额,以分为单位 $total_fee = $resHandler->getParameter("total_fee"); //如果有使用折扣券,discount有值,total_fee+discount=原请求的total_fee $discount = $resHandler->getParameter("discount"); //------------------------------ //处理业务开始 //------------------------------ //处理数据库逻辑 //注意交易单不要重复处理 //注意判断返回金额 $total_fee = ($total_fee+$discount)/100; $r = $db->get_one("SELECT * FROM {$DT_PRE}finance_charge WHERE itemid='$out_trade_no'"); ``` 然后带入查询。 ### 漏洞证明: [<img src="https://images.seebug.org/upload/201403/301514306c88f2c3f26155c1d45a826e2faa84b3.jpg" alt="d8.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/301514306c88f2c3f26155c1d45a826e2faa84b3.jpg) 看看所执行的语句。 [<img src="https://images.seebug.org/upload/201403/301516466198a5cacc598b3b23ef6e29b1dfbbd1.jpg" alt="d9.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/301516466198a5cacc598b3b23ef6e29b1dfbbd1.jpg)
