当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-081332

漏洞标题:mallbuilder多用户商城系统越权漏洞&跨站漏洞

相关厂商:shop-builder.cn

漏洞作者: nextdoor

提交时间:2014-10-31 11:23

修复时间:2014-12-30 14:44

公开时间:2014-12-30 14:44

漏洞类型:非授权访问/权限绕过

危害等级:中

自评Rank:10

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-10-31: 细节已通知厂商并且等待厂商处理中
2014-11-05: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2014-12-30: 细节向核心白帽子及相关领域专家公开
2015-01-09: 细节向普通白帽子公开
2015-01-19: 细节向实习白帽子公开
2014-12-30: 细节向公众公开

简要描述:

越权漏洞可以遍历他人收货地址
跨站漏洞可以会员cookie一处
和可以盗取管理员cookie一处

详细说明:

版本系统 MallBuilder_v5.8.1.1
官方demo v6.9.3版本有效
0x01 越权漏洞
可以遍历他人收货地址
module\member\admin_orderadder.php

//--修改收货地址
if($_POST['submit']=='edit')
{
$flag=$orderadder->edit_orderadder($_POST['edid']); //跟踪edit_orderadder函数
if(is_numeric($_POST['i']) and $_POST['ty']=='tg')
{
$admin->msg($config['weburl'].'/?m=tg&s=order&id='.$_POST['i']);
}
elseif($_POST['ty']=='pro')
{
$admin->msg($config['weburl'].'/?m=product&s=confirm_order');
}
else
{
$admin->msg($config['weburl'].'/main.php?m=member&s=admin_orderadder');
}
}
//--删除收货地址
if(!empty($_GET['edid'])&&is_numeric($_GET['edid']))
{
$flag=$orderadder->del_orderadder($_GET['edid']); //del_orderadder函数
$admin->msg($config['weburl'].'/main.php?m=member&s=admin_orderadder');
}
//--显示收货地址
if(!empty($_GET['id'])&&is_numeric($_GET['id']))
$tpl->assign("de",$orderadder->get_orderadder($_GET['id']));

$tpl->assign("list",$orderadder->get_orderadderlist());


module\member\includes\plugin_orderadder_class.php

function edit_orderadder($id=NULL)
{
global $buid;
if($id)
{
$default=$_POST['default']?"2":"1";
$_POST['zip']=$_POST['zip']?$_POST['zip']:NULL;
if($default=='2')
{
$sql="UPDATE ".DELIVERYADDR." SET `default` = '1' WHERE `userid` ='$buid' ";
$this -> db->query($sql);
}
$sql="UPDATE ".DELIVERYADDR." SET `name` = '$_POST[name]',`provinceid` = '$_POST[province]',`cityid` = '$_POST[city]', `areaid` = '$_POST[area]', `area` = '$_POST[t]', `address` = '$_POST[address]',`zip` = '$_POST[zip]',`tel` = '$_POST[tel]',`mobile` = '$_POST[mobile]',`default` = '$default' WHERE `id` ='$id' "; //仅用id参数验证,存在越权操作,可以任意变量他人收货地址
$this -> db->query($sql);
return $id;
}
}
function del_orderadder($id=NULL)
{
global $buid;
if(is_numeric($id))
{
$tel=$_POST['tel1'].'-'.$_POST['tel2'].'-'.$_POST['tel3'];
$sql="delete from ".DELIVERYADDR." where id=$id "; //仅用id参数验证,
$flag=$this -> db->query($sql);
return $flag;
}
}


0x02跨站漏洞
可以盗取会员cookie,这个是在空间评论处的动态,只有加他为好友后评论就可以了,导致
只要用户登陆就会中招
sns.php文件

if(!empty($_POST['act']))
{
if($_POST['act']=='comment')
{
$sns->add_sns_comment($_POST['act']); //跟踪add_sns_comment函数
}
else
{
$sns->add_sns($_POST['act']);
}
}


plugin_sns_class.php文件

function add_sns_comment()
{
global $buid,$config;

$sql="select logo,user from ".MEMBER." WHERE userid='$buid'";
$this->db->query($sql);
$re=$this->db->fetchRow();

$member_id = $buid;
$member_name = $re['user'];
$original_id = $_POST['commentid'];
$create_time = time();
$content = $_POST['commentcontent']?$_POST['commentcontent']:"";//接受post的content
if($content)
{
$sql="insert into ".SNSCOMMENT." (original_id,member_id,member_name,content,addtime) VALUES ('$original_id','$member_id','$member_name','$content','$create_time')"; //输入点$content未过滤
$this->db->query($sql);
$this->db->query("update ".SNS." set comment_count=comment_count+1 where id='$original_id'");
}
}
输出点在这个函数中
function get_sns()
{
global $buid,$config;

$sql="select fuid from ".FRIEND." where uid=$buid order by addtime desc";
$this->db->query($sql);
$re=$this->db->getRows();

$myfriend=$buid;

foreach($re as $val)
{
$myfriend.=','.$val['fuid'];
}

$sql="select a.* , b.member_id as ouid , b.member_name as ouser , b.title as otitle, b.create_time as ocreate_time, b.content as ocontent,b.img as oimg,b.type as otype from ".SNS." a left join ".SNS." b on a.original_id= b.id where a.member_id in ($myfriend) order by a.create_time desc";
$this->db->query($sql);
$re=$this->db->getRows();
if(!$re)
{
$sql="select a.* , b.member_id as ouid , b.member_name as ouser , b.title as otitle, b.create_time as ocreate_time, b.content as ocontent,b.img as oimg,b.type as otype from ".SNS." a left join ".SNS." b on a.original_id= b.id order by rand() , a.create_time desc";
}
$str="";
include_once($config['webroot']."/includes/page_utf_class.php");
include_once($config['webroot']."/module/sns/face.php");

$page = new Page;
$page->listRows=10;

if (!$page->__get('totalRows'))
{
$this->db->query($sql);
$page->totalRows = $this->db->num_rows();
}
$p=$_GET['page']-1>0?$_GET['page']-1:"0";
$page->firstRow=$p*$page->listRows;
$sql .= " limit ".$page->firstRow.",".$page->listRows;
$this->db->query($sql);
$re=$this->db->getRows();

foreach($face_array as $key=>$val)
{
$searcharray[] ="/\/".$key."/";
$replacearray[] = "<img align='absmiddle' src='image/face/".$val."'>";
}

foreach($re as $val)
{
$comment=$con=$del=$a=$img="";
$sql="select logo,name from ".MEMBER." WHERE userid='$val[member_id]'";
$this->db->query($sql);
$a=$this->db->fetchRow();
$val['member_img'] = $a['logo']?$a['logo']:"image/default/user_admin/default_user_portrait.gif";
$val['member_name']=$a['name']?$a['name']:$val['member_name'];

$sql="select * from ".SNSCOMMENT." WHERE original_id='$val[id]' order by id desc";
$this->db->query($sql);
$ss=$this->db->getRows();
$val['title']=preg_replace($searcharray,$replacearray,$val['title']);
if($ss)
{
$comment="<div class='commnet'>";
foreach($ss as $list)
{
$comment.="<div class='commnet_list'><dl><dt><a target=\"_blank\" href=\"home.php?uid=".$list['member_id']."\">$list[member_name]</a> $list[content]</dt>
<dd>".date('Y-m-d',$list['addtime'])."</dd></div>";
}
$comment.="</div>";
}
if($val['original_id'])
{
$con="<div class=\"quote-wrap\">";
if($val['original_status']==1)
{
$con.="原文已删除";
}
else
{
$val['otitle']=preg_replace($searcharray,$replacearray,$val['otitle']);
if($val['oimg'])
{
$oimg="<div class=\"sns-img clearfix\"><ul>";
$opic=explode(',',$val['oimg']);
foreach($opic as $op)
{
if($val['otype']=='2')
{
$oimg.="<li><img class=\"small\" src=\"".$op."_120X120.jpg\"></li>";
}
else
{
$oimg.="<li><img src=\"".$op."\"></li>";
}
}
$oimg.="</ul></div>";
}
$con.="<p><a target=\"_blank\" href=\"home.php?uid=".$val['ouid']."\">".$val['ouser']."</a></p><div class=\"sns-text\"><div class=\"sns-title\"><span>".$val['otitle']."</span>".$oimg."</div></div><div class=\"sns-extra\"><a class=\"sns-time\" title=\"".date('Y年m月d日 H:i',$val['ocreate_time'])."\" href=\"#\">".date('m月d日 H:i',$val['ocreate_time'])."</a></div>";


}
$con.="</div>";
}
$fd_forward="<span><a data-param=\"{&quot;bid&quot;:&quot;".$val['id']."&quot;}\" genre=\"sns_forward\" href=\"javascript:void(0);\">转发</a></span><span><a data-param=\"{&quot;bid&quot;:&quot;".$val['id']."&quot;}\" genre=\"sns_comment\" href=\"javascript:void(0);\">评论</a></span>";
$del="";
if($val['member_id']==$buid)
{
$del="<div class=\"more-action\"><a data-param=\"{&quot;bid&quot;:&quot;".$val['id']."&quot;}\" data_type=\"fd_del\" href=\"javascript:void(0);\"></a></div>";
}
if($val['img'])
{
$img="<div class=\"sns-img clearfix\"><ul>";
$pic=explode(',',$val['img']);
foreach($pic as $p)
{
if($val['type']=='2')
{
$img.="<li><img class=\"small\" src=\"".$p."_120X120.jpg\"></li>";
}
else
{
$img.="<li><img src=\"".$p."\"></li>";
}
}
$img.="</ul></div>";
}
$str.="<div class=\"sns-item\"><div class=\"sns-avatar\"><a target=\"_blank\" href=\"shop.php?uid=".$val['member_id']."\"><img width=\"60\" height=\"60\" src=\"".$val['member_img']."\" ></a></div>".$del."<div class=\"sns-wrap\"><p class=\"clearfix\"><a target=\"_blank\" href=\"home.php?uid=".$val['member_id']."\"><b>".$val['member_name']."</b></a></p><div class=\"sns-text\"><div class=\"sns-title\">".$val['title']."</div>".$img."</div>".$con."<div class=\"sns-extra\"><a class=\"sns-time\" title=\"".date('Y年m月d日 H:i',$val['create_time'])."\" href=\"#\">".date('m月d日 H:i',$val['create_time'])."</a><span class=\"sns-action\">".$fd_forward."</span></div></div><div class='clear'></div>".$comment."</div>"; //未过滤
}
if(($_GET['page']+1)<= ceil($page->totalRows/$page->listRows))
{
$str.="<div id=more></div>";
}
return $str;


0x03这个存在于收货地址处
module\member\admin_orderadder.php

if($_POST['submit']=='edit')
{
$flag=$orderadder->edit_orderadder($_POST['edid']);
if(is_numeric($_POST['i']) and $_POST['ty']=='tg')
{
$admin->msg($config['weburl'].'/?m=tg&s=order&id='.$_POST['i']);
}
elseif($_POST['ty']=='pro')
{
$admin->msg($config['weburl'].'/?m=product&s=confirm_order');
}
else
{
$admin->msg($config['weburl'].'/main.php?m=member&s=admin_orderadder');
}
}


module\member\includes\plugin_orderadder_class.php

function edit_orderadder($id=NULL)
{
global $buid;
if($id)
{
$default=$_POST['default']?"2":"1";
$_POST['zip']=$_POST['zip']?$_POST['zip']:NULL;
if($default=='2')
{
$sql="UPDATE ".DELIVERYADDR." SET `default` = '1' WHERE `userid` ='$buid' ";
$this -> db->query($sql);
}
$sql="UPDATE ".DELIVERYADDR." SET `name` = '$_POST[name]',`provinceid` = '$_POST[province]',`cityid` = '$_POST[city]', `areaid` = '$_POST[area]', `area` = '$_POST[t]', `address` = '$_POST[address]',`zip` = '$_POST[zip]',`tel` = '$_POST[tel]',`mobile` = '$_POST[mobile]',`default` = '$default' WHERE `id` ='$id' ";
//post接受的参数未过滤
$this -> db->query($sql);
return $id;
}
}


输出点module\member\admin\delivery_address.php中

$sql="select a.*,b.user from ".DELIVERYADDR." a left join ".MEMBER." b on a.userid=b.userid ";
//================================
include_once("../includes/page_utf_class.php");
$page = new Page;
$page->listRows=10;
if (!$page->__get('totalRows')){
$db->query($sql);
$page->totalRows = $db->num_rows();
}
$sql .= " limit ".$page->firstRow.",".$page->listRows;
$de['page'] = $page->prompt();
//=================================
$db->query($sql);
$de['list']=$db->getRows(); //未进行有效过滤形成跨站

$tpl->assign("de",$de);
$tpl->display("delivery_address.htm");

漏洞证明:

越权官网证明
http://democn.mall-builder.com/main.php?m=member&s=admin_orderadder&id=188&type=edit
更改id参数即可遍历全部收货地址

mall越权一.PNG


mall越权二.PNG


mall越权三.PNG


跨站攻击,为了不影响测试用例,官网中测试可以插入标签,未做输出显示过滤
下面在自己搭建的平台演示

Xss2.PNG


Xss3.PNG


Xss1.PNG

修复方案:

过滤

版权声明:转载请注明来源 nextdoor@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-12-30 14:44

厂商回复:

最新状态:

暂无