当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-069885

漏洞标题:PHPB2B 最新版sql注射无限充值(官网demo成功)

相关厂商:phpb2b.com

漏洞作者: roker

提交时间:2014-07-27 23:52

修复时间:2014-10-25 23:54

公开时间:2014-10-25 23:54

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-07-27: 细节已通知厂商并且等待厂商处理中
2014-07-30: 厂商已经确认,细节仅向厂商公开
2014-08-02: 细节向第三方安全合作伙伴开放
2014-09-23: 细节向核心白帽子及相关领域专家公开
2014-10-03: 细节向普通白帽子公开
2014-10-13: 细节向实习白帽子公开
2014-10-25: 细节向公众公开

简要描述:

rt

详细说明:

看到注册用户处

if(isset($_POST['register'])){
	$is_company = false;
	$if_need_check = false;
	$register_type = trim($_POST['register']);
	$register_typename = trim($_POST['typename']);
	pb_submit_check('data');
	$default_membergroupid_res = $pdb->GetRow("SELECT * FROM {$tb_prefix}membertypes WHERE name='".$register_typename."'");
	$default_membergroupid = $default_membergroupid_res['default_membergroup_id'];
	if(empty($default_membergroupid)) $default_membergroupid = $membergroup->field("id","is_default=1");
	if ($default_membergroupid_res['id']>1) {
		$is_company = true;
	}
	$member->setParams();
	$memberfield->setParams();
	$member->params['data']['member']['membergroup_id'] = $default_membergroupid;
	$time_limits = $pdb->GetOne("SELECT default_live_time FROM {$tb_prefix}membergroups WHERE id={$default_membergroupid}");
	$member->params['data']['member']['service_start_date'] = $time_stamp;
	$member->params['data']['member']['service_end_date'] = $membergroup->getServiceEndtime($time_limits);
	$member->params['data']['member']['membertype_id'] = ($is_company)?2:1;
	if($member_reg_auth=="1" || $member_reg_auth!=0 || !empty($G['setting']['new_userauth'])){
		$member->params['data']['member']['status'] = 0;
		$if_need_check = true;
	}else{
		$member->params['data']['member']['status'] = 1;
	}
	$updated = false;
	$updated = $member->Add();


跟进add

function Add()
	{
		global $_PB_CACHE, $memberfield, $phpb2b_auth_key, $if_need_check;
		$error_msg = array();
		if (empty($this->params['data']['member']['username']) or 
		empty($this->params['data']['member']['userpass']) or 
		empty($this->params['data']['member']['email'])) return false;
		$space_name = $this->params['data']['member']['username'];
		$userpass = $this->params['data']['member']['userpass'];
		$this->params['data']['member']['userpass'] = $this->authPasswd($this->params['data']['member']['userpass']);
		if(empty($this->params['data']['member']['space_name']))
		$this->params['data']['member']['space_name'] = PbController::toAlphabets($space_name);//Todo:
		$uip = pb_ip2long(pb_getenv('REMOTE_ADDR'));
		if(empty($uip)){
			pheader("location:".URL."redirect.php?message=".urlencode(L('sys_error')));
		}
		$this->params['data']['member']['last_login'] = $this->params['data']['member']['created'] = $this->params['data']['member']['modified'] = $this->timestamp;
		$this->params['data']['member']['last_ip'] = pb_get_client_ip('str');
		$email_exists = $this->checkUserExistsByEmail($this->params['data']['member']['email']);
		if ($email_exists) {
			flash("email_exists", null, 0);
		}
		$if_exists = $this->checkUserExist($this->params['data']['member']['username']);
		if ($if_exists) {
			flash('member_has_exists', null, 0);
		}else{
			$this->save($this->params['data']['member']);


save 函数把我们的post数据 做了foreach 

function save($obj_name, $obj_id, $data)
	{
		if (empty($data)) {
			return false;
		}
		foreach ($data as $key=>$val) {
			if (in_array($key, array('title', 'keyword', 'description'))) {
				$this->add($obj_id, $obj_name, $key, $val);
			}


官网测试下
我们注册用户时。抓包,添加参数

data%5Bmember%5D%5Bbalance_amount%5D=9999.99


1.jpg


成功充值。。

2.jpg

漏洞证明:

2.jpg

修复方案:

你们更加专业

版权声明:转载请注明来源 roker@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2014-07-30 19:45

厂商回复:

确认

最新状态:

2014-07-30:新版已修正该问题https://github.com/ulinke/phpb2b/archive/master.zip