### 简要描述: 就是可以帮助管理员管理订单啥的,匿名活雷锋呐~ ### 详细说明: 当开启WAP功能(手机商城)时,未登录可对其它用户订单操作:查看非注册用户订单、取消任意用户订单、任意用户订单确认收货等。 漏洞存在于 /mobile/user.php 页面 1.查看非注册用户订单 ``` elseif ($act == 'order_list') // /mobile/user.php 49行起 { $record_count = $db->getOne("SELECT COUNT(*) FROM " .$ecs->table('order_info'). " WHERE user_id = {$_SESSION['user_id']}"); //未注册用户可直接下订单 ... $orders = get_user_orders($_SESSION['user_id'], $page_num, $page_num * ($page - 1)); //100行,get_user_orders位于/includes/lib_transaction.php,可以看到取的是user_id=0的用户订单 ``` 2.取消任意用户订单 ``` elseif ($act == 'cancel_order') // /mobile/user.php 118行起 { include_once(ROOT_PATH . 'includes/lib_transaction.php'); include_once(ROOT_PATH . 'includes/lib_order.php'); $order_id = isset($_GET['order_id']) ? intval($_GET['order_id']) : 0; if (cancel_order($order_id, $_SESSION['user_id'])) { ecs_header("Location: user.php?act=order_list\n"); exit; } } .... /* cancel_order位于/includes/lib_transaction.php 353行起 */ function cancel_order($order_id, $user_id = 0) { /*...
### 简要描述: 就是可以帮助管理员管理订单啥的,匿名活雷锋呐~ ### 详细说明: 当开启WAP功能(手机商城)时,未登录可对其它用户订单操作:查看非注册用户订单、取消任意用户订单、任意用户订单确认收货等。 漏洞存在于 /mobile/user.php 页面 1.查看非注册用户订单 ``` elseif ($act == 'order_list') // /mobile/user.php 49行起 { $record_count = $db->getOne("SELECT COUNT(*) FROM " .$ecs->table('order_info'). " WHERE user_id = {$_SESSION['user_id']}"); //未注册用户可直接下订单 ... $orders = get_user_orders($_SESSION['user_id'], $page_num, $page_num * ($page - 1)); //100行,get_user_orders位于/includes/lib_transaction.php,可以看到取的是user_id=0的用户订单 ``` 2.取消任意用户订单 ``` elseif ($act == 'cancel_order') // /mobile/user.php 118行起 { include_once(ROOT_PATH . 'includes/lib_transaction.php'); include_once(ROOT_PATH . 'includes/lib_order.php'); $order_id = isset($_GET['order_id']) ? intval($_GET['order_id']) : 0; if (cancel_order($order_id, $_SESSION['user_id'])) { ecs_header("Location: user.php?act=order_list\n"); exit; } } .... /* cancel_order位于/includes/lib_transaction.php 353行起 */ function cancel_order($order_id, $user_id = 0) { /* 查询订单信息,检查状态 */ $sql = "SELECT user_id, order_id, order_sn , surplus , integral , bonus_id, order_status, shipping_status, pay_status FROM " .$GLOBALS['ecs']->table('order_info') ." WHERE order_id = '$order_id'"; $order = $GLOBALS['db']->GetRow($sql); if (empty($order)) { $GLOBALS['err']->add($GLOBALS['_LANG']['order_exist']); return false; } // 如果用户ID大于0,检查订单是否属于该用户 if ($user_id > 0 && $order['user_id'] != $user_id) //这里是重点,此时未登录,所以$user_id=0,绕过了~~ { $GLOBALS['err'] ->add($GLOBALS['_LANG']['no_priv']); return false; } ..... ``` 3.任意用户订单确认收货 ``` elseif ($act == 'affirm_received') // /mobile/user.php 118行起 { include_once(ROOT_PATH . 'includes/lib_transaction.php'); $order_id = isset($_GET['order_id']) ? intval($_GET['order_id']) : 0; $_LANG['buyer'] = '买家'; if (affirm_received($order_id, $_SESSION['user_id'])) { ecs_header("Location: user.php?act=order_list\n"); exit; } } /* affirm_received方法位于/includes/lib_transaction.php,和cancel_order一样的user_id判断 */ ``` 出现以上问题的原因是未对用户是否登录进行判断,来看一下/user.php (非手机版) 的代码 /user.php 40行起 * 未登录处理 */ ``` if (empty($_SESSION['user_id'])) { if (!in_array($action, $not_login_arr)) { if (in_array($action, $ui_arr)) { ...... ``` 这里的未登录处理杜绝了未登录时越权操作的发生,而手机版/mobile/user.php没有,忘加了? ### 漏洞证明: [<img src="https://images.seebug.org/upload/201305/26220744937eb3747d1f6a5051b45f3d84bf56b0.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201305/26220744937eb3747d1f6a5051b45f3d84bf56b0.png) 未登录时执行:http://localhost/test/ecshop/mobile/user.php?act=cancel_order&order_id=31 [<img src="https://images.seebug.org/upload/201305/26220756738a9f17248899a911cbbe6a512fb5d1.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201305/26220756738a9f17248899a911cbbe6a512fb5d1.png)