方维团购系统注入

\\app\source\user_init.php [php] //获取当前城市跟客户端IP if(!isset($_SESSION['CLIENT_IP']) || empty($_SESSION['C_CITY_ID']) ||(isset($_REQUEST['cityname']) && !empty($_REQUEST['cityname']))) { require ROOT_PATH.'app/source/class/IpLocation.class.php'; define("C_CITY_ID",getCurrentCityID()); $_SESSION['C_CITY_ID'] = C_CITY_ID; $iplocation = new IpLocation(); $client_ip = $iplocation->getIP(); //从X-Forwarded-For里面获取IP $_SESSION['CLIENT_IP'] = $client_ip; //直接把获取的IP传递到session里面去了 if(intval(a_fanweC("FIRST_VISIT_CITY"))==1&&isset($_REQUEST['cityname']) && !isset($_COOKIE['had_select_city'])){ setcookie('had_select_city',true,time()+365*60*60*24); } } if((!defined('C_CITY_ID')) || intval(C_CITY_ID) == 0) { define("C_CITY_ID",$_SESSION['C_CITY_ID']); } ....... //开始自动登录 by hc if($_SESSION['user_id'] == 0 && isset($_COOKIE['email']) && isset($_COOKIE['password'])) { $cookie_user['email'] = trim(unserialize(base64_decode($_COOKIE['email']))); $cookie_user['user_pwd'] = trim(unserialize(base64_decode($_COOKIE['password']))); $userinfo = $GLOBALS['db']->getRow("SELECT `id`,`user_name`,`user_pwd`,`status`,`group_id`,`city_id`,`parent_id` FROM ".DB_PREFIX."user WHERE email='".$cookie_user['email']."' and user_pwd='".$cookie_user['user_pwd']."'"); if($userinfo && $userinfo['status']) { setcookie('email',base64_encode(serialize($userinfo['email'])),time()+365*60*60*24); setcookie('password',base64_encode(serialize($userinfo['user_pwd'])),time()+365*60*60*24); $_SESSION['user_name'] = $userinfo['user_name']; $_SESSION['user_id'] = $userinfo['id']; $_SESSION['group_id'] = $userinfo['group_id']; $_SESSION['user_email'] = $userinfo['email']; $_SESSION['score'] = $userinfo['score']; $GLOBALS['db']->query("UPDATE ".DB_PREFIX."user set last_ip='".$client_ip."' where id=".$userinfo['id']); //直接把X-Forwarded-For带到update了 //update fanwe_user set last_ip='' where id=1; } } [/php] 然后在app\source\func\com_user_func.php [php] function user_do_login($user_data) { ..... if ($auto_login == 1) { setcookie ( 'email', base64_encode ( serialize ( $userinfo ['email'] ) ), time () + 365 * 60 * 60 * 24 ); setcookie ( 'password', base64_encode ( serialize ( $userinfo ['user_pwd'] ) ), time () + 365 * 60 * 60 * 24 ); } $userScore = intval ( $userinfo ['score'] ); $userGroupID = intval ( $userinfo ['group_id'] ); $sql = "select max_points from " . DB_PREFIX . "user_group where id = " . $userGroupID; $maxPoints = intval ( $GLOBALS ['db']->getOne ( $sql ) ); $sql = "select id from " . DB_PREFIX . "user_group where min_points <= $userScore AND max_points > $userScore AND id <> $userGroupID AND min_points >= $maxPoints AND status = 1"; $group_id = $GLOBALS ['db']->getOne ( $sql ); if ($group_id > 0) { $userinfo ['group_id'] = $group_id; } $_SESSION ['user_name'] = $userinfo ['user_name']; $_SESSION ['user_id'] = $userinfo ['id']; $_SESSION ['group_id'] = $userinfo ['group_id']; $_SESSION ['user_email'] = $userinfo ['email']; $_SESSION ['score'] = $userinfo ['score']; $sql_str = 'update ' . DB_PREFIX . 'user set last_ip = \'' . $_SESSION ['CLIENT_IP'] . '\',active_sn = \'\',group_id= ' . intval ( $userinfo ['group_id'] ) . ' where id = ' . intval ( $userinfo ['id'] ); //$_SESSION ['CLIENT_IP'] 也是直接带过来了 $GLOBALS ['db']->query ( $sql_str ); //清空购买车 $GLOBALS ['db']->query ( "delete from " . DB_PREFIX . "cart where session_id = '" . session_id () . "' or user_id =".intval($_SESSION ['user_id'])); .............. [/php] code 在X-Forwarded-For里面做加参数就达到了注入的目的。事实上我只是判断出了存在注射,但是没有exp的说。 官方的实例网站 fan 仔细想想,直接获取IP带入数据库,是否还有xss的功能呢,顺带IP欺骗

2 条评论

  1. ye

    我回家了 忘记了跟你说、、过几天回去、

    1. 0day5
      @ye

      知了知了~回头给班主任说

发表评论