方维团购系统注入

\\app\source\user_init.php
[php]
//获取当前城市跟客户端IP
if(!isset($_SESSION['CLIENT_IP']) || empty($_SESSION['C_CITY_ID']) ||(isset($_REQUEST['cityname']) && !empty($_REQUEST['cityname'])))
{
require ROOT_PATH.'app/source/class/IpLocation.class.php';
define("C_CITY_ID",getCurrentCityID());
$_SESSION['C_CITY_ID'] = C_CITY_ID;

$iplocation = new IpLocation();
$client_ip = $iplocation->getIP(); //从X-Forwarded-For里面获取IP
$_SESSION['CLIENT_IP'] = $client_ip; //直接把获取的IP传递到session里面去了

if(intval(a_fanweC("FIRST_VISIT_CITY"))==1&&isset($_REQUEST['cityname']) && !isset($_COOKIE['had_select_city'])){
setcookie('had_select_city',true,time()+365*60*60*24);
}
}

if((!defined('C_CITY_ID')) || intval(C_CITY_ID) == 0) {
define("C_CITY_ID",$_SESSION['C_CITY_ID']);
}
.......
//开始自动登录 by hc
if($_SESSION['user_id'] == 0 && isset($_COOKIE['email']) && isset($_COOKIE['password']))
{
$cookie_user['email'] = trim(unserialize(base64_decode($_COOKIE['email'])));
$cookie_user['user_pwd'] = trim(unserialize(base64_decode($_COOKIE['password'])));
$userinfo = $GLOBALS['db']->getRow("SELECT `id`,`user_name`,`user_pwd`,`status`,`group_id`,`city_id`,`parent_id` FROM ".DB_PREFIX."user WHERE email='".$cookie_user['email']."' and user_pwd='".$cookie_user['user_pwd']."'");

if($userinfo && $userinfo['status'])
{
setcookie('email',base64_encode(serialize($userinfo['email'])),time()+365*60*60*24);
setcookie('password',base64_encode(serialize($userinfo['user_pwd'])),time()+365*60*60*24);
$_SESSION['user_name'] = $userinfo['user_name'];
$_SESSION['user_id'] = $userinfo['id'];
$_SESSION['group_id'] = $userinfo['group_id'];
$_SESSION['user_email'] = $userinfo['email'];
$_SESSION['score'] = $userinfo['score'];

$GLOBALS['db']->query("UPDATE ".DB_PREFIX."user set last_ip='".$client_ip."' where id=".$userinfo['id']);
//直接把X-Forwarded-For带到update了
//update fanwe_user set last_ip='' where id=1;
}
}
[/php]
然后在app\source\func\com_user_func.php
[php]
function user_do_login($user_data) {
.....
if ($auto_login == 1) {
setcookie ( 'email', base64_encode ( serialize ( $userinfo ['email'] ) ), time () + 365 * 60 * 60 * 24 );
setcookie ( 'password', base64_encode ( serialize ( $userinfo ['user_pwd'] ) ), time () + 365 * 60 * 60 * 24 );
}

$userScore = intval ( $userinfo ['score'] );
$userGroupID = intval ( $userinfo ['group_id'] );

$sql = "select max_points from " . DB_PREFIX . "user_group where id = " . $userGroupID;
$maxPoints = intval ( $GLOBALS ['db']->getOne ( $sql ) );
$sql = "select id from " . DB_PREFIX . "user_group where min_points <= $userScore AND max_points > $userScore AND id <> $userGroupID AND min_points >= $maxPoints AND status = 1";
$group_id = $GLOBALS ['db']->getOne ( $sql );
if ($group_id > 0) {
$userinfo ['group_id'] = $group_id;
}
$_SESSION ['user_name'] = $userinfo ['user_name'];
$_SESSION ['user_id'] = $userinfo ['id'];
$_SESSION ['group_id'] = $userinfo ['group_id'];
$_SESSION ['user_email'] = $userinfo ['email'];
$_SESSION ['score'] = $userinfo ['score'];
$sql_str = 'update ' . DB_PREFIX . 'user set last_ip = \'' . $_SESSION ['CLIENT_IP'] . '\',active_sn = \'\',group_id= ' . intval ( $userinfo ['group_id'] ) . ' where id = ' . intval ( $userinfo ['id'] );
//$_SESSION ['CLIENT_IP'] 也是直接带过来了
$GLOBALS ['db']->query ( $sql_str );
//清空购买车
$GLOBALS ['db']->query ( "delete from " . DB_PREFIX . "cart where session_id = '" . session_id () . "' or user_id =".intval($_SESSION ['user_id']));

..............
[/php]
code
在X-Forwarded-For里面做加参数就达到了注入的目的。事实上我只是判断出了存在注射,但是没有exp的说。
官方的实例网站
fan

仔细想想,直接获取IP带入数据库,是否还有xss的功能呢,顺带IP欺骗

2 条评论

  1. ye

    我回家了 忘记了跟你说、、过几天回去、

    1. 0day5
      @ye

      知了知了~回头给班主任说

发表评论