当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-078305

漏洞标题:Yuncart#多处存储型xss

相关厂商:Yuncart

漏洞作者: 小邪

提交时间:2014-10-13 10:31

修复时间:2015-01-11 10:32

公开时间:2015-01-11 10:32

漏洞类型:xss跨站脚本攻击

危害等级:高

自评Rank:12

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-10-13: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-01-11: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

Yuncart#多处存储型xss 皆可打后台cookie 官方demo测试

详细说明:

第一处xss
/include/front/member.class.php

public function address() {
		if(ispostreq()) {
			$addressid = intval($_POST["addressid"]);
			//如果是修改,但是没有权限
			if($addressid	&& !DB::getDB()->selectexist("user_address","addressid","addressid='$addressid' AND uid='".$this->uid."'") ) {
				$this->setHint("user_no_priv","error");
			}
			
			//参数
			$receiver = trim($_POST["receiver"]);
			$province = trim($_POST["province"]);
			$city	  = trim($_POST["city"]);
			$district = trim($_POST["district"]);
			$zipcode  = trim($_POST["zipcode"]);
			$link	  = trim($_POST["link"]);
			$address  = trim($_POST["address"]);
			$data = array(
					"receiver"	=>$receiver,
					"province"	=>$province,
					"city"		=>$city,
					"district"	=>$district,
					"zipcode"	=>$zipcode,
					"link"		=>$link,
					"address"	=>$address,
					"uid"		=>$this->uid);
			$text  = '';
			if($addressid) { //修改地址
				$text = 'edit';
				DB::getDB()->update("user_address",$data,"addressid='$addressid'");
			} else { //增加地址
				$text = 'add';
				DB::getDB()->insert("user_address",$data);
			}
			$this->setHint("address_{$text}_success","success");
		} else {
			$this->getHint();
			if(isset($_GET["op"])	&& ($_GET['op'] == 'edit')	) { //操作
				$addressid = intval($_GET["addressid"]);
				$this->data["address"] = DB::getDB()->selectrow("user_address","*","addressid='$addressid' AND uid='".$this->uid."'");
				if(!$this->data["address"]) {
					$this->setHint("address_not_exist","error");
				}
				$this->getDistrictopt($this->data["address"]['province'],$this->data["address"]['city'],$this->data["address"]['district']);
				$this->data['opertype'] = "edit";
			} else {
				$this->data['opertype'] = "add";
			}
			//收货地址列表
			$this->data['addresslist'] = DB::getDB()->select("user_address","*","uid='".$this->uid."'");
			$this->output("myaddress");
		}
	}


跟踪update

public function update($tableName,$data,$where,$only = false) {
		$sql = "UPDATE ".$this->getTableName($tableName)." SET ";
		if(is_array($data)) {
			foreach($data as $key=>$val) {
				$sql .= $this->escapekey($key) . "=" . $this->escapeval($val).",";
			}
		} else {
			$sql .= $data;
		}
		
		$sql = rtrim($sql,",")." "
			 . $this->buildWhere($where)
			 . ($only?" LIMIT 1":"")
			 ;
		
		$this->query($sql);
		return $this->errno?false:true;


进query看看

public function query($sql) {
		$sql = preg_replace("/`(.+?)`/","\"\\1\"",$sql);//执行mysql的`替换成"
		
		$this->lastSql = $sql;
		$this->statement = $this->conn->prepare($sql);
		if(false === $this->statement) {
			
		}
		$result = $this->statement->execute();
		if(false === $result) {
			$error		   = $this->statement->errorInfo();
			$this->error   = $error[2];
			$this->errno   = $this->statement->errorCode();
			if($this->errno) {
				cerror("sqlsrv error:".$this->errno."  ".$this->error);
			}
		}
		$this->querynum++;
	}


可以看到query只过滤了注入字符未对xss的关键字符进行过滤 因此存在xss
首先注册一个帐户 进入用户中心修改收货地址

1.jpg


保存 然后去商场选一件商品 提交订单时选择使用刚才的地址
本地弹

2.jpg


提交订单 我们去后台看看

3.jpg


漏洞证明:

第二处xss
选择一件商品购买 订单备注处插入代码 提交

4.jpg


我们进后台看看 查看订单详情

5.jpg

修复方案:

对xss关键字符进行过滤

版权声明:转载请注明来源 小邪@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝