当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-080791

漏洞标题:B2Bbuilder 网站商城存在越权操作十余处

相关厂商:shop-builder.cn

漏洞作者: nextdoor

提交时间:2014-10-28 13:58

修复时间:2014-12-30 14:44

公开时间:2014-12-30 14:44

漏洞类型:非授权访问/权限绕过

危害等级:中

自评Rank:10

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-10-28: 细节已通知厂商并且等待厂商处理中
2014-11-02: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2014-12-27: 细节向核心白帽子及相关领域专家公开
2015-01-06: 细节向普通白帽子公开
2015-01-16: 细节向实习白帽子公开
2014-12-30: 细节向公众公开

简要描述:

B2Bbuilder 网站商城存在多处越权操作10处

详细说明:

下载的版本 B2Bbuilder B2B网站管理系统 v7.0 .1最新 正式版
1-3处

main.php中 
switch ($action){
case "admin_subscribe":
{
include_once("includes/plugin_tradealter_class.php");
$tradealter=new tradealter();
if(!empty($_POST['addid']))
{
if(!empty($_POST['seditid']))
$re=$tradealter->up_subscribe($_POST['seditid']); //跟踪up_subscribe函数
else
$re=$tradealter->up_subscribe();
if($re)
msg("main.php?action=admin_subscribe");
}
if(!empty($_GET['editid']))
$tpl->assign("de",$tradealter->list_subscribe($_GET['editid'])); //跟踪list_subscribe函数
if(!empty($_GET['delid']))
$tradealter->delete_subscribe($_GET['delid']); //跟踪delete_subscribe函数
$tpl->assign("subscribe",$tradealter->list_subscribe());
$page="admin_subscribe.htm";
break;
}
include/plugin_tradealter_class.php文件
function up_subscribe($sid='')
{
global $buid,$config;
if(!empty($sid))
{
$nt=time();
$sql="update ".SUBSCRIBE." set keywords='$_POST[keycon]',ktype='$_POST[ktype]',p_catids='$_POST[catids]',p_cats='$_POST[cats]',validity='$_POST[validity]',frequency='$_POST[frequency]',uptime='$nt',email='$_POST[email]' where id='$sid'"; //未判断所属用户直接操作
$this->db->query($sql);
}
else
{
$nt=time();
$sql="insert into ".SUBSCRIBE." (userid,keywords,ktype,p_catids,p_cats,validity,frequency,uptime,email)
values ( '$buid','$_POST[keycon]','$_POST[ktype]','$_POST[catids]','$_POST[cats]','$_POST[validity]','$_POST[frequency]','$nt','$_POST[email]')";
$this->db->query($sql);
include("includes/point_inc.php");
if($point_config['point']=='1'&&$point_config['sub_scribe']!='0')
renew_point('',$point_config['sub_scribe']);
}
}
include/plugin_tradealter_class.php文件
function list_subscribe($id="")
{
global $buid;
if(empty($id))
{
$sql="select * from ".SUBSCRIBE." where userid='$buid' order by uptime desc";
$this->db->query($sql);
$re=$this->db->getRows();
}
else
{
$sql="select * from ".SUBSCRIBE." where id='$id'";//未判断属性导致越权
$this->db->query($sql);
$re=$this->db->fetchRow();
}
return $re;
}
include/plugin_tradealter_class.php
function delete_subscribe($did="")
{
global $buid;
$sql="delete from ".SUBSCRIBE." where id='$did'";
//可以任意删除他人的内容
$this->db->query($sql);
}


第四处

case "admin_adv_list":
{
if(!empty($_GET['deid']))
$db->query("delete from ".ADVSCON." where ID='$_GET[deid]'"); //越权,任意删除订单
if(!empty($_GET['order_id']))
$db->query("update ".ADVSCON." set statu=1 where ID='$_GET[order_id]'");

$db->query("select * from ".ADVSCON." where userid='$buid'");
$tpl->assign("re",$re = $db->getRows());
$page= "admin_adv_list.htm";
break;
}


第5—6处

case "admin_subuser":
{
if(!empty($_GET['deid']))
$admin->delete_personal($_GET['deid']);

if(!empty($_POST['action'])&&$_POST['action']=='submit')
{
$admin->add_personal();
msg("main.php?action=admin_subuser&t=1&adduser=$_GET[adduser]");
}
if(!empty($_POST['action'])&&$_POST['action']=='update')
{
$admin->update_personal($_POST['uid']); //存在越权
msg("main.php?action=admin_subuser&adduser=$_GET[adduser]&t=1");
}

include_once("lang/".$config['language']."/company_type_config.php");
$tpl->assign("de",$de=$admin->get_personal_detail($_GET['editid'])); //存在越权
$tpl->assign("plist",$admin->get_personal_list());
$tpl->assign("prov",get_province($de['province']));

if(!empty($_GET['adduser']))
{
$nohead='true';
$page="admin_add_personal.htm";
if(empty($_GET['editid']))
$tpl->assign("de",NULL);
}
else
$page="admin_subuser.htm";
break;
}
跟踪函数 update_personal
function update_personal($uid)
{
global $config,$buid;$logo=NULL;$ssql=NULL;
if(empty($uid))
$uid=$buid;
$_POST['province']=!empty($_POST['province1'])?$_POST['province1']:$_POST['province'];
$_POST['city']=!empty($_POST['city1'])?$_POST['city1']:$_POST['city'];
$_POST['sex']=empty($_POST['sex'])?1:$_POST['sex'];

$sql="UPDATE ".ALLUSER." SET
name='$_POST[name]',email='$_POST[email]',email2='$_POST[email2]',tel='$_POST[tel]',qq='$_POST[qq]',province='$_POST[province]',city='$_POST[city]',sex='$_POST[sex]',skype='$_POST[skype]',position='$_POST[position]',mobile='$_POST[mobile]',logo='$_POST[logo]'
WHERE userid='$uid'"; //对属性判断不严

$re=$this->db->query($sql);
return $re;
}
get_personal_detail函数
function get_personal_detail($id)
{
global $buid,$config;
if(empty($id))
$id=$buid;
$sql="select * from ".ALLUSER." a left join ".COUNTRY." b on a.country=b.id WHERE a.userid='$id'";//认证不严
$this->db->query($sql);
$re=$this->db->fetchRow();
if($config['language']=='cn')
$re['country']=$re['cname'];
else
$re['country']=$re['ename'];
return $re;
}


第七处

admin_message_det.php 
f(!empty($_GET['deid']))
{
$msg->del_mail($_GET['deid']*1);
msg("main.php?m=message&s=admin_message_list_inbox");//删除后进入收件箱
}
if(!empty($_GET['save_id']))
{
$msg->save_mail($_GET['save_id']*1);
}
if(!empty($_GET['remove']))
{
$msg->remove_mail($_GET['remove']*1);
}
if(!empty($_GET['recover']))
{
$msg->recover_mail($_GET['recover']*1);
}
$tpl->assign("re",$msg ->mail_det($_GET['id'])); //存在越权
$tpl->assign("config",$config);
$tpl->assign("lang",$lang);
plugin_msg_class.php文件
function mail_det($id)
{
global $buid;
$sql="select *,NULL as about from ".FEEDBACK." where id='$id'"; //id参数
$this->db->query($sql);
$re=$this->db->fetchRow();
if($re['iflook']<1)
{
$sql="update ".FEEDBACK." SET iflook=1 WHERE id='$id'";
$this->db->query($sql);
}

if($re["fromuserid"]&&$re['msgtype']==1)
{//收件箱
$sql="select * from ".ALLUSER." where userid='".$re['fromuserid']."'";
$this->db->query($sql);
$re["fromInfo"]=$this->db->fetchRow();
}
if($re["touserid"]&&$re['msgtype']==2)
{//发件箱
$sql="select * from ".ALLUSER." where userid='".$re['touserid']."'";
$this->db->query($sql);
$re["fromInfo"]=$this->db->fetchRow();
}
if($re['fromuserid'])
{
$sql="select id from ".FRIENDS." where fuid=$re[fromuserid]";
$this->db->query($sql);
$re["is_myfriend"]=$this->db->fetchField('id');
}

$re['edit_con']='<br><br><br><br><br>//======================================================='.$re['con'];

return $re;
}


第八处

admin_message_list_savebox.php
<?php
include_once("$config[webroot]/includes/page_utf_class.php");
include_once("$config[webroot]/module/message/includes/plugin_msg_class.php");
$msg=new msg();
//======================================================
if(isset($_POST["deid"])&&!empty($_POST['del']))
{
$msg->del_freom_save_mail(); //跟踪函数
}
$type='savebox';
$tpl->assign("re",$msg ->mail_list($type));
//======================================================
$tpl->assign("config",$config);
$tpl->assign("lang",$lang);
$output=tplfetch("admin_message_list_savebox.htm");
?>
function del_freom_save_mail()
{
if(empty($id))
{
for($i=0;$i<count($_POST["deid"]);$i++)
{
$id=$_POST["deid"][$i];
$sql="update ".FEEDBACK." set is_save=0 where id=$id"; //id参数
$this->db->query($sql);
unset($sql);
}
}
else
{
$sql="update ".FEEDBACK." set is_save=0 where id=$id";
$this->db->query($sql);
}
}


第九处

admin_message_list_outbox.php
<?php
include_once("$config[webroot]/includes/page_utf_class.php");
include_once("$config[webroot]/module/message/includes/plugin_msg_class.php");
$msg=new msg();
//================================================
if(isset($_POST["deid"])&&!empty($_POST['del']))
{
$msg->del_mail(); //跟踪函数
}
$type='outbox';
$tpl->assign("re",$msg ->mail_list($type));
//===============================================
$tpl->assign("config",$config);
$tpl->assign("lang",$lang);
$output=tplfetch("admin_message_list_outbox.htm");
?>
plugin_msg_class.php
function del_mail($id=NULL)
{
if(empty($id))
{
for($i=0;$i<count($_POST["deid"]);$i++)
{
$id=$_POST["deid"][$i];
$sql="update ".FEEDBACK." set iflook=2 where id=$id"; //id元素
$this->db->query($sql);
unset($sql);
}
}
else
{
$sql="update ".FEEDBACK." set iflook=2 where id=$id";
$this->db->query($sql);
}
}
//关于message这个类的越权还有很多,在这列举几个,其他的漏洞开发自己好好审审吧


第十处

<?php
include_once("$config[webroot]/module/message/includes/plugin_friend_class.php");
$friend=new friend();
//============================================================
if(isset($_GET['editid'])&&is_numeric($_GET['editid']))
$tpl->assign("de",$friend->edit_friend_info($_GET['editid']));//edit_friend_info函数

if(isset($_GET['friendid']))
$tpl->assign("de",$friend->get_friend_info($_GET['friendid']));
if(isset($_GET['detail_id'])&&is_numeric($_GET['detail_id']))
$tpl->assign("de",$friend->edit_friend_info($_GET['detail_id']));

if(isset($_POST['isure']))
{
if(!empty($_POST['editid']))
$friend->update_friend_info($_POST['editid']);
else
$friend->update_friend_info();
}
//==================================
plugin_msg_class.php
function edit_friend_info($id='')
{
$sql="select * from ".FRIENDS." where id='$id'"; //id参数
$this->db->query($sql);
$rs=$this->db->fetchRow();
return $rs;
}


第十一处

dmin_friends_list.php 
<?php
include_once("$config[webroot]/module/message/includes/plugin_friend_class.php");
$friend=new friend();
//============================================================
include_once("$config[webroot]/includes/page_utf_class.php");
if(isset($_GET['delid'])&&is_numeric($_GET['delid']))
{
$friend->del_friend_info($_GET['delid']); //跟踪函数
}
$tpl->assign("re",$friend->friends_list());
//==================================
$tpl->assign("config",$config);
$tpl->assign("lang",$lang);
$output=tplfetch("admin_friends_list.htm");
?>
plugin_friend_class.php
function del_friend_info($id='')
{
$sql="delete from ".FRIENDS." where id='$id'"; //id函数
$this->db->query($sql);
}


第十二处

admin_brand.php 
http://democn.b2b-builder.com/main.php?edit=428&m=brand&s=admin_brand
include_once("$config[webroot]/module/brand/includes/plugin_brand_class.php");
$brand=new brand();
//============================================================
if(!empty($submit)&&empty($_POST['editID']))
{
$re=$brand->add_brand();
if($re)
msg("main.php?m=brand&s=admin_brand_list");
}
if(isset($_POST['editID']))
{
$re=$brand->edit_brand(); //跟踪函数
if($re)
msg("main.php?m=brand&s=admin_brand_list");
}
if(isset($_GET['edit']))
{
$tpl->assign("de",$brand->brand_detail($_GET['edit']));
}
//==================================
$tpl->assign("country",country_list());
$tpl->assign("config",$config);
$tpl->assign("lang",$lang);
$output=tplfetch("admin_brand.htm");
?>
plugin_friend_class.php中
function edit_brand()
{
global $config;
include_once($config['webroot'].'/lib/allchar.php');

if($config['language']=='cn')
$sql="select cname as name from ".COUNTRY." where id='$_POST[country]'";
else
$sql="select ename as name from ".COUNTRY." where id='$_POST[country]'";
$this->db->query($sql);
$country=$this->db->fetchField('name');
$province=$_POST['province'];
$city=$_POST['city'];
if(empty($province) and empty($city))
{
$province=$_POST['province1'];
$city=$_POST['city1'];
}
$str=c(trim($_POST['name']));
$fstr=substr($str,0,1);


$sql="update ".BRAND." set name='".$_POST['name']."',con='".$_POST['con']."',company='".$_POST['company']."',tel='".$_POST['tel']."',pic='".$_POST['pic']."',statu='0',url='$_POST[url]',country='$country',province='$province',city='$city',time='".time()."',inner_url='$_POST[inner_url]',char_index='$fstr',char_all='$str' where id='".$_POST['editID']."'"; //editID 参数
$re=$this->db->query($sql);
return $re;
}


第十三处

admin_news.php

<?php
include_once("$config[webroot]/module/".$_GET['m']."/includes/plugin_news_class.php");
$news=new news();
//===============================================
$class=$news->get_newsclass();
$tpl->assign("class",$class);
if(isset($_GET['newsid']) and $_POST['action']=="edit")
{
$news->fun_news('edit'); //跟踪fun_news函数
$admin->msg("main.php?m=$_GET[m]&s=admin_news_list");
}
if(!isset($_GET['newsid']) and $_POST['action']=="add")
{
$re=$news->check_access();
if($re==false)
msg("main.php?action=msg&type=access_dine");
$news->fun_news('add');
$admin->msg("main.php?m=$_GET[m]&s=admin_news_list");
}
if(isset($_GET['newsid']))
{
$tpl->assign("news",$news->news_detail($_GET['newsid']));
}
//-----------
$group_add_news='user_add_news_'.$_SESSION['IFPAY'];
$tpl->assign("is_post",$config[$group_add_news]);
//==================================
$tpl->assign("config",$config);
$tpl->assign("lang",$lang);
$output=tplfetch("admin_news.htm");
?>
plugin_friend_class.php
function fun_news($type)
{
global $config,$buid,$bcid;
if(!empty($_FILES['img_url'])&&is_uploaded_file($_FILES['img_url']['tmp_name']))
{
if(!empty($_POST['pic']))
{
$file=$config['webroot']."/uploadfile/news/".$_POST['pic'];
@unlink($file);
$file=$config['webroot']."/uploadfile/news/big/".$_POST['pic'];
@unlink($file);
}
$pname=time().".jpg";
$savefile=$config['webroot']."/uploadfile/news/".$pname;
$bsavefile=$config['webroot']."/uploadfile/news/big/".$pname;
makethumb($_FILES['img_url']['tmp_name'],$savefile,140,125);
makethumb($_FILES['img_url']['tmp_name'],$bsavefile,275,200);
}
if(!empty($_POST['pic']) and empty($pname))
{
$pname=$_POST['pic'];
}

if(empty($pname))
{
$ispic=0;
}
else
{
$ispic=1;
}

if(empty($_POST['smalltext']))
{
$con=$_POST['body'];
$str = explode('<p>',$con);
foreach($str as $i=>$k)
{
$val=trim(strip_tags($k));
if(!empty($val))
{
$_POST['smalltext']=$val;
break;
}
}
}
if($type=="add")
{
//-----------------------
$ifpay=empty($_SESSION["IFPAY"])?1:$_SESSION["IFPAY"];
if($config['replace_outside_link_'.$ifpay]==1)
{
$_POST["smalltext"]=replace_outside_link($_POST["smalltext"]);
$_POST["body"]=replace_outside_link($_POST["body"]);
}
//----------------------
$statu=$config['infoCheck_'.$ifpay];

$sql="INSERT ".NEWSD.
"(classid,title,ftitle,keyboard,ispass,titlefont,uid,company_id,uptime,smalltext,writer,titlepic,ispic,lastedittime,imgs_url,videos_url,ispl,userfen,newstempid,source)
VALUES
('$_POST[classid]','$_POST[title]','$_POST[ftitle]','$_POST[key]','$statu','','$buid','$bcid','".time()."','$_POST[smalltext]','$buser','$pname','$ispic','".time()."','','','0','0','0','')";

$re=$this->db->query($sql);
$id=$this->db->lastid();

$sql="INSERT INTO ".NEWSDATA." (nid,con) values ('$id','$_POST[body]')";
$re=$this->db->query($sql);

include("includes/point_inc.php");
if($point_config['point']=='1'&&$point_config['add_news']!='0')
renew_point('',$point_config['add_news']);
}
if($type=="edit")
{
$_POST['onclick']=empty($_POST['onclick'])?0:$_POST['onclick'];

$sql="update ".NEWSD." set title='$_POST[title]',classid='$_POST[classid]',ftitle='$_POST[ftitle]',keyboard='$_POST[key]',onclick='$_POST[onclick]',smalltext='$_POST[smalltext]',titlepic='$pname',ispic='$ispic',lastedittime='".time()."' where nid= $_GET[newsid]";
$re=$this->db->query($sql);
$sql="update ".NEWSDATA." set con='$_POST[body]' where nid= $_GET[newsid]";
$re=$this->db->query($sql);
}
}
global $config,$buid,$bcid;
if(!empty($_FILES['img_url'])&&is_uploaded_file($_FILES['img_url']['tmp_name']))
{
if(!empty($_POST['pic']))
{
$file=$config['webroot']."/uploadfile/news/".$_POST['pic'];
@unlink($file);
$file=$config['webroot']."/uploadfile/news/big/".$_POST['pic'];
@unlink($file);
}
$pname=time().".jpg";
$savefile=$config['webroot']."/uploadfile/news/".$pname;
$bsavefile=$config['webroot']."/uploadfile/news/big/".$pname;
makethumb($_FILES['img_url']['tmp_name'],$savefile,140,125);
makethumb($_FILES['img_url']['tmp_name'],$bsavefile,275,200);
}
if(!empty($_POST['pic']) and empty($pname))
{
$pname=$_POST['pic'];
}

if(empty($pname))
{
$ispic=0;
}
else
{
$ispic=1;
}

if(empty($_POST['smalltext']))
{
$con=$_POST['body'];
$str = explode('<p>',$con);
foreach($str as $i=>$k)
{
$val=trim(strip_tags($k));
if(!empty($val))
{
$_POST['smalltext']=$val;
break;
}
}
}
if($type=="add")
{
//-----------------------
$ifpay=empty($_SESSION["IFPAY"])?1:$_SESSION["IFPAY"];
if($config['replace_outside_link_'.$ifpay]==1)
{
$_POST["smalltext"]=replace_outside_link($_POST["smalltext"]);
$_POST["body"]=replace_outside_link($_POST["body"]);
}
//----------------------
$statu=$config['infoCheck_'.$ifpay];

$sql="INSERT ".NEWSD.
"(classid,title,ftitle,keyboard,ispass,titlefont,uid,company_id,uptime,smalltext,writer,titlepic,ispic,lastedittime,imgs_url,videos_url,ispl,userfen,newstempid,source)
VALUES
('$_POST[classid]','$_POST[title]','$_POST[ftitle]','$_POST[key]','$statu','','$buid','$bcid','".time()."','$_POST[smalltext]','$buser','$pname','$ispic','".time()."','','','0','0','0','')";

$re=$this->db->query($sql);
$id=$this->db->lastid();

$sql="INSERT INTO ".NEWSDATA." (nid,con) values ('$id','$_POST[body]')";
$re=$this->db->query($sql);

include("includes/point_inc.php");
if($point_config['point']=='1'&&$point_config['add_news']!='0')
renew_point('',$point_config['add_news']);
}
if($type=="edit")
{
$_POST['onclick']=empty($_POST['onclick'])?0:$_POST['onclick'];

$sql="update ".NEWSD." set title='$_POST[title]',classid='$_POST[classid]',ftitle='$_POST[ftitle]',keyboard='$_POST[key]',onclick='$_POST[onclick]',smalltext='$_POST[smalltext]',titlepic='$pname',ispic='$ispic',lastedittime='".time()."' where nid= $_GET[newsid]";
$re=$this->db->query($sql);
$sql="update ".NEWSDATA." set con='$_POST[body]' where nid= $_GET[newsid]"; //newsid参数
$re=$this->db->query($sql);
}
}


存在平行权限的还有很多,开发人员在好好看看

漏洞证明:

漏洞证明:
短信息越权,改变id参数即可

短信息越权1.PNG


短信息越权2.PNG


短信息越权3.PNG


订阅越权
更改editid参数

订阅越权4.PNG


定阅越权1.PNG


订阅越权2.PNG


任意删除他人广告越权参数deid

广告越权2.PNG


广告越权3.PNG


广告越权4.PNG


商友越权,任意查看他人商友信息参数editid

商友越权1.PNG


商友越权2.PNG


商友越权3.PNG


商友越权4.PNG


修改子账户越权editid参数

用户越权1.PNG


用户越权2.PNG


用户越权3.PNG


其他的就不再截图演示了

修复方案:

验证属性 一起提交了 希望审核给点力,做个前台啊

版权声明:转载请注明来源 nextdoor@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-12-30 14:44

厂商回复:

最新状态:

暂无