当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-078305

漏洞标题:Yuncart#多处存储型xss

相关厂商:Yuncart

漏洞作者: 小邪

提交时间:2014-10-13 10:31

修复时间:2015-01-11 10:32

公开时间:2015-01-11 10:32

漏洞类型:xss跨站脚本攻击

危害等级:高

自评Rank:12

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-10-13: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-01-11: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

Yuncart#多处存储型xss 皆可打后台cookie 官方demo测试

详细说明:

第一处xss
/include/front/member.class.php

public function address() {
if(ispostreq()) {
$addressid = intval($_POST["addressid"]);
//如果是修改,但是没有权限
if($addressid && !DB::getDB()->selectexist("user_address","addressid","addressid='$addressid' AND uid='".$this->uid."'") ) {
$this->setHint("user_no_priv","error");
}

//参数
$receiver = trim($_POST["receiver"]);
$province = trim($_POST["province"]);
$city = trim($_POST["city"]);
$district = trim($_POST["district"]);
$zipcode = trim($_POST["zipcode"]);
$link = trim($_POST["link"]);
$address = trim($_POST["address"]);
$data = array(
"receiver" =>$receiver,
"province" =>$province,
"city" =>$city,
"district" =>$district,
"zipcode" =>$zipcode,
"link" =>$link,
"address" =>$address,
"uid" =>$this->uid);
$text = '';
if($addressid) { //修改地址
$text = 'edit';
DB::getDB()->update("user_address",$data,"addressid='$addressid'");
} else { //增加地址
$text = 'add';
DB::getDB()->insert("user_address",$data);
}
$this->setHint("address_{$text}_success","success");
} else {
$this->getHint();
if(isset($_GET["op"]) && ($_GET['op'] == 'edit') ) { //操作
$addressid = intval($_GET["addressid"]);
$this->data["address"] = DB::getDB()->selectrow("user_address","*","addressid='$addressid' AND uid='".$this->uid."'");
if(!$this->data["address"]) {
$this->setHint("address_not_exist","error");
}
$this->getDistrictopt($this->data["address"]['province'],$this->data["address"]['city'],$this->data["address"]['district']);
$this->data['opertype'] = "edit";
} else {
$this->data['opertype'] = "add";
}
//收货地址列表
$this->data['addresslist'] = DB::getDB()->select("user_address","*","uid='".$this->uid."'");
$this->output("myaddress");
}
}


跟踪update

public function update($tableName,$data,$where,$only = false) {
$sql = "UPDATE ".$this->getTableName($tableName)." SET ";
if(is_array($data)) {
foreach($data as $key=>$val) {
$sql .= $this->escapekey($key) . "=" . $this->escapeval($val).",";
}
} else {
$sql .= $data;
}

$sql = rtrim($sql,",")." "
. $this->buildWhere($where)
. ($only?" LIMIT 1":"")
;

$this->query($sql);
return $this->errno?false:true;


进query看看

public function query($sql) {
$sql = preg_replace("/`(.+?)`/","\"\\1\"",$sql);//执行mysql的`替换成"

$this->lastSql = $sql;
$this->statement = $this->conn->prepare($sql);
if(false === $this->statement) {

}
$result = $this->statement->execute();
if(false === $result) {
$error = $this->statement->errorInfo();
$this->error = $error[2];
$this->errno = $this->statement->errorCode();
if($this->errno) {
cerror("sqlsrv error:".$this->errno." ".$this->error);
}
}
$this->querynum++;
}


可以看到query只过滤了注入字符未对xss的关键字符进行过滤 因此存在xss
首先注册一个帐户 进入用户中心修改收货地址

1.jpg


保存 然后去商场选一件商品 提交订单时选择使用刚才的地址
本地弹

2.jpg


提交订单 我们去后台看看

3.jpg


漏洞证明:

第二处xss
选择一件商品购买 订单备注处插入代码 提交

4.jpg


我们进后台看看 查看订单详情

5.jpg

修复方案:

对xss关键字符进行过滤

版权声明:转载请注明来源 小邪@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝


漏洞评价:

评论