2014-10-28: 细节已通知厂商并且等待厂商处理中 2014-11-02: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放 2014-12-27: 细节向核心白帽子及相关领域专家公开 2015-01-06: 细节向普通白帽子公开 2015-01-16: 细节向实习白帽子公开 2014-12-30: 细节向公众公开
B2Bbuilder 网站商城存在多处越权操作10处
下载的版本 B2Bbuilder B2B网站管理系统 v7.0 .1最新 正式版1-3处
main.php中 switch ($action){ case "admin_subscribe": { include_once("includes/plugin_tradealter_class.php"); $tradealter=new tradealter(); if(!empty($_POST['addid'])) { if(!empty($_POST['seditid'])) $re=$tradealter->up_subscribe($_POST['seditid']); //跟踪up_subscribe函数 else $re=$tradealter->up_subscribe(); if($re) msg("main.php?action=admin_subscribe"); } if(!empty($_GET['editid'])) $tpl->assign("de",$tradealter->list_subscribe($_GET['editid'])); //跟踪list_subscribe函数 if(!empty($_GET['delid'])) $tradealter->delete_subscribe($_GET['delid']); //跟踪delete_subscribe函数 $tpl->assign("subscribe",$tradealter->list_subscribe()); $page="admin_subscribe.htm"; break; }include/plugin_tradealter_class.php文件 function up_subscribe($sid='') { global $buid,$config; if(!empty($sid)) { $nt=time(); $sql="update ".SUBSCRIBE." set keywords='$_POST[keycon]',ktype='$_POST[ktype]',p_catids='$_POST[catids]',p_cats='$_POST[cats]',validity='$_POST[validity]',frequency='$_POST[frequency]',uptime='$nt',email='$_POST[email]' where id='$sid'"; //未判断所属用户直接操作 $this->db->query($sql); } else { $nt=time(); $sql="insert into ".SUBSCRIBE." (userid,keywords,ktype,p_catids,p_cats,validity,frequency,uptime,email) values ( '$buid','$_POST[keycon]','$_POST[ktype]','$_POST[catids]','$_POST[cats]','$_POST[validity]','$_POST[frequency]','$nt','$_POST[email]')"; $this->db->query($sql); include("includes/point_inc.php"); if($point_config['point']=='1'&&$point_config['sub_scribe']!='0') renew_point('',$point_config['sub_scribe']); } }include/plugin_tradealter_class.php文件function list_subscribe($id="") { global $buid; if(empty($id)) { $sql="select * from ".SUBSCRIBE." where userid='$buid' order by uptime desc"; $this->db->query($sql); $re=$this->db->getRows(); } else { $sql="select * from ".SUBSCRIBE." where id='$id'";//未判断属性导致越权 $this->db->query($sql); $re=$this->db->fetchRow(); } return $re; }include/plugin_tradealter_class.php function delete_subscribe($did="") { global $buid; $sql="delete from ".SUBSCRIBE." where id='$did'"; //可以任意删除他人的内容 $this->db->query($sql); }
第四处
case "admin_adv_list": { if(!empty($_GET['deid'])) $db->query("delete from ".ADVSCON." where ID='$_GET[deid]'"); //越权,任意删除订单 if(!empty($_GET['order_id'])) $db->query("update ".ADVSCON." set statu=1 where ID='$_GET[order_id]'"); $db->query("select * from ".ADVSCON." where userid='$buid'"); $tpl->assign("re",$re = $db->getRows()); $page= "admin_adv_list.htm"; break; }
第5—6处
case "admin_subuser": { if(!empty($_GET['deid'])) $admin->delete_personal($_GET['deid']); if(!empty($_POST['action'])&&$_POST['action']=='submit') { $admin->add_personal(); msg("main.php?action=admin_subuser&t=1&adduser=$_GET[adduser]"); } if(!empty($_POST['action'])&&$_POST['action']=='update') { $admin->update_personal($_POST['uid']); //存在越权 msg("main.php?action=admin_subuser&adduser=$_GET[adduser]&t=1"); } include_once("lang/".$config['language']."/company_type_config.php"); $tpl->assign("de",$de=$admin->get_personal_detail($_GET['editid'])); //存在越权 $tpl->assign("plist",$admin->get_personal_list()); $tpl->assign("prov",get_province($de['province'])); if(!empty($_GET['adduser'])) { $nohead='true'; $page="admin_add_personal.htm"; if(empty($_GET['editid'])) $tpl->assign("de",NULL); } else $page="admin_subuser.htm"; break; }跟踪函数 update_personalfunction update_personal($uid) { global $config,$buid;$logo=NULL;$ssql=NULL; if(empty($uid)) $uid=$buid; $_POST['province']=!empty($_POST['province1'])?$_POST['province1']:$_POST['province']; $_POST['city']=!empty($_POST['city1'])?$_POST['city1']:$_POST['city']; $_POST['sex']=empty($_POST['sex'])?1:$_POST['sex']; $sql="UPDATE ".ALLUSER." SET name='$_POST[name]',email='$_POST[email]',email2='$_POST[email2]',tel='$_POST[tel]',qq='$_POST[qq]',province='$_POST[province]',city='$_POST[city]',sex='$_POST[sex]',skype='$_POST[skype]',position='$_POST[position]',mobile='$_POST[mobile]',logo='$_POST[logo]' WHERE userid='$uid'"; //对属性判断不严 $re=$this->db->query($sql); return $re; }get_personal_detail函数 function get_personal_detail($id) { global $buid,$config; if(empty($id)) $id=$buid; $sql="select * from ".ALLUSER." a left join ".COUNTRY." b on a.country=b.id WHERE a.userid='$id'";//认证不严 $this->db->query($sql); $re=$this->db->fetchRow(); if($config['language']=='cn') $re['country']=$re['cname']; else $re['country']=$re['ename']; return $re; }
第七处
admin_message_det.php f(!empty($_GET['deid'])){ $msg->del_mail($_GET['deid']*1); msg("main.php?m=message&s=admin_message_list_inbox");//删除后进入收件箱}if(!empty($_GET['save_id'])){ $msg->save_mail($_GET['save_id']*1);}if(!empty($_GET['remove'])){ $msg->remove_mail($_GET['remove']*1);}if(!empty($_GET['recover'])){ $msg->recover_mail($_GET['recover']*1);}$tpl->assign("re",$msg ->mail_det($_GET['id'])); //存在越权$tpl->assign("config",$config);$tpl->assign("lang",$lang);plugin_msg_class.php文件 function mail_det($id) { global $buid; $sql="select *,NULL as about from ".FEEDBACK." where id='$id'"; //id参数 $this->db->query($sql); $re=$this->db->fetchRow(); if($re['iflook']<1) { $sql="update ".FEEDBACK." SET iflook=1 WHERE id='$id'"; $this->db->query($sql); } if($re["fromuserid"]&&$re['msgtype']==1) {//收件箱 $sql="select * from ".ALLUSER." where userid='".$re['fromuserid']."'"; $this->db->query($sql); $re["fromInfo"]=$this->db->fetchRow(); } if($re["touserid"]&&$re['msgtype']==2) {//发件箱 $sql="select * from ".ALLUSER." where userid='".$re['touserid']."'"; $this->db->query($sql); $re["fromInfo"]=$this->db->fetchRow(); } if($re['fromuserid']) { $sql="select id from ".FRIENDS." where fuid=$re[fromuserid]"; $this->db->query($sql); $re["is_myfriend"]=$this->db->fetchField('id'); } $re['edit_con']='<br><br><br><br><br>//======================================================='.$re['con']; return $re; }
第八处
admin_message_list_savebox.php<?phpinclude_once("$config[webroot]/includes/page_utf_class.php");include_once("$config[webroot]/module/message/includes/plugin_msg_class.php");$msg=new msg();//======================================================if(isset($_POST["deid"])&&!empty($_POST['del'])){ $msg->del_freom_save_mail(); //跟踪函数}$type='savebox';$tpl->assign("re",$msg ->mail_list($type));//======================================================$tpl->assign("config",$config);$tpl->assign("lang",$lang);$output=tplfetch("admin_message_list_savebox.htm");?>function del_freom_save_mail() { if(empty($id)) { for($i=0;$i<count($_POST["deid"]);$i++) { $id=$_POST["deid"][$i]; $sql="update ".FEEDBACK." set is_save=0 where id=$id"; //id参数 $this->db->query($sql); unset($sql); } } else { $sql="update ".FEEDBACK." set is_save=0 where id=$id"; $this->db->query($sql); } }
第九处
admin_message_list_outbox.php<?phpinclude_once("$config[webroot]/includes/page_utf_class.php");include_once("$config[webroot]/module/message/includes/plugin_msg_class.php");$msg=new msg();//================================================if(isset($_POST["deid"])&&!empty($_POST['del'])){ $msg->del_mail(); //跟踪函数}$type='outbox';$tpl->assign("re",$msg ->mail_list($type));//===============================================$tpl->assign("config",$config);$tpl->assign("lang",$lang);$output=tplfetch("admin_message_list_outbox.htm");?>plugin_msg_class.php function del_mail($id=NULL) { if(empty($id)) { for($i=0;$i<count($_POST["deid"]);$i++) { $id=$_POST["deid"][$i]; $sql="update ".FEEDBACK." set iflook=2 where id=$id"; //id元素 $this->db->query($sql); unset($sql); } } else { $sql="update ".FEEDBACK." set iflook=2 where id=$id"; $this->db->query($sql); } }//关于message这个类的越权还有很多,在这列举几个,其他的漏洞开发自己好好审审吧
第十处
<?phpinclude_once("$config[webroot]/module/message/includes/plugin_friend_class.php");$friend=new friend();//============================================================if(isset($_GET['editid'])&&is_numeric($_GET['editid'])) $tpl->assign("de",$friend->edit_friend_info($_GET['editid']));//edit_friend_info函数 if(isset($_GET['friendid'])) $tpl->assign("de",$friend->get_friend_info($_GET['friendid']));if(isset($_GET['detail_id'])&&is_numeric($_GET['detail_id'])) $tpl->assign("de",$friend->edit_friend_info($_GET['detail_id'])); if(isset($_POST['isure'])){ if(!empty($_POST['editid'])) $friend->update_friend_info($_POST['editid']); else $friend->update_friend_info();}//==================================plugin_msg_class.php function edit_friend_info($id='') { $sql="select * from ".FRIENDS." where id='$id'"; //id参数 $this->db->query($sql); $rs=$this->db->fetchRow(); return $rs; }
第十一处
dmin_friends_list.php <?phpinclude_once("$config[webroot]/module/message/includes/plugin_friend_class.php");$friend=new friend();//============================================================include_once("$config[webroot]/includes/page_utf_class.php");if(isset($_GET['delid'])&&is_numeric($_GET['delid'])){ $friend->del_friend_info($_GET['delid']); //跟踪函数}$tpl->assign("re",$friend->friends_list());//==================================$tpl->assign("config",$config);$tpl->assign("lang",$lang);$output=tplfetch("admin_friends_list.htm");?>plugin_friend_class.php function del_friend_info($id='') { $sql="delete from ".FRIENDS." where id='$id'"; //id函数 $this->db->query($sql); }
第十二处
admin_brand.php http://democn.b2b-builder.com/main.php?edit=428&m=brand&s=admin_brandinclude_once("$config[webroot]/module/brand/includes/plugin_brand_class.php");$brand=new brand();//============================================================if(!empty($submit)&&empty($_POST['editID'])){ $re=$brand->add_brand(); if($re) msg("main.php?m=brand&s=admin_brand_list");}if(isset($_POST['editID'])){ $re=$brand->edit_brand(); //跟踪函数 if($re) msg("main.php?m=brand&s=admin_brand_list");}if(isset($_GET['edit'])){ $tpl->assign("de",$brand->brand_detail($_GET['edit']));}//==================================$tpl->assign("country",country_list());$tpl->assign("config",$config);$tpl->assign("lang",$lang);$output=tplfetch("admin_brand.htm");?>plugin_friend_class.php中 function edit_brand() { global $config; include_once($config['webroot'].'/lib/allchar.php'); if($config['language']=='cn') $sql="select cname as name from ".COUNTRY." where id='$_POST[country]'"; else $sql="select ename as name from ".COUNTRY." where id='$_POST[country]'"; $this->db->query($sql); $country=$this->db->fetchField('name'); $province=$_POST['province']; $city=$_POST['city']; if(empty($province) and empty($city)) { $province=$_POST['province1']; $city=$_POST['city1']; } $str=c(trim($_POST['name'])); $fstr=substr($str,0,1); $sql="update ".BRAND." set name='".$_POST['name']."',con='".$_POST['con']."',company='".$_POST['company']."',tel='".$_POST['tel']."',pic='".$_POST['pic']."',statu='0',url='$_POST[url]',country='$country',province='$province',city='$city',time='".time()."',inner_url='$_POST[inner_url]',char_index='$fstr',char_all='$str' where id='".$_POST['editID']."'"; //editID 参数 $re=$this->db->query($sql); return $re; }
第十三处
admin_news.php <?phpinclude_once("$config[webroot]/module/".$_GET['m']."/includes/plugin_news_class.php");$news=new news();//=============================================== $class=$news->get_newsclass(); $tpl->assign("class",$class); if(isset($_GET['newsid']) and $_POST['action']=="edit") { $news->fun_news('edit'); //跟踪fun_news函数 $admin->msg("main.php?m=$_GET[m]&s=admin_news_list"); } if(!isset($_GET['newsid']) and $_POST['action']=="add") { $re=$news->check_access(); if($re==false) msg("main.php?action=msg&type=access_dine"); $news->fun_news('add'); $admin->msg("main.php?m=$_GET[m]&s=admin_news_list"); } if(isset($_GET['newsid'])) { $tpl->assign("news",$news->news_detail($_GET['newsid'])); } //----------- $group_add_news='user_add_news_'.$_SESSION['IFPAY']; $tpl->assign("is_post",$config[$group_add_news]);//==================================$tpl->assign("config",$config);$tpl->assign("lang",$lang);$output=tplfetch("admin_news.htm");?>plugin_friend_class.php function fun_news($type) { global $config,$buid,$bcid; if(!empty($_FILES['img_url'])&&is_uploaded_file($_FILES['img_url']['tmp_name'])) { if(!empty($_POST['pic'])) { $file=$config['webroot']."/uploadfile/news/".$_POST['pic']; @unlink($file); $file=$config['webroot']."/uploadfile/news/big/".$_POST['pic']; @unlink($file); } $pname=time().".jpg"; $savefile=$config['webroot']."/uploadfile/news/".$pname; $bsavefile=$config['webroot']."/uploadfile/news/big/".$pname; makethumb($_FILES['img_url']['tmp_name'],$savefile,140,125); makethumb($_FILES['img_url']['tmp_name'],$bsavefile,275,200); } if(!empty($_POST['pic']) and empty($pname)) { $pname=$_POST['pic']; } if(empty($pname)) { $ispic=0; } else { $ispic=1; } if(empty($_POST['smalltext'])) { $con=$_POST['body']; $str = explode('<p>',$con); foreach($str as $i=>$k) { $val=trim(strip_tags($k)); if(!empty($val)) { $_POST['smalltext']=$val; break; } } } if($type=="add") { //----------------------- $ifpay=empty($_SESSION["IFPAY"])?1:$_SESSION["IFPAY"]; if($config['replace_outside_link_'.$ifpay]==1) { $_POST["smalltext"]=replace_outside_link($_POST["smalltext"]); $_POST["body"]=replace_outside_link($_POST["body"]); } //---------------------- $statu=$config['infoCheck_'.$ifpay]; $sql="INSERT ".NEWSD."(classid,title,ftitle,keyboard,ispass,titlefont,uid,company_id,uptime,smalltext,writer,titlepic,ispic,lastedittime,imgs_url,videos_url,ispl,userfen,newstempid,source) VALUES ('$_POST[classid]','$_POST[title]','$_POST[ftitle]','$_POST[key]','$statu','','$buid','$bcid','".time()."','$_POST[smalltext]','$buser','$pname','$ispic','".time()."','','','0','0','0','')"; $re=$this->db->query($sql); $id=$this->db->lastid(); $sql="INSERT INTO ".NEWSDATA." (nid,con) values ('$id','$_POST[body]')"; $re=$this->db->query($sql); include("includes/point_inc.php"); if($point_config['point']=='1'&&$point_config['add_news']!='0') renew_point('',$point_config['add_news']); } if($type=="edit") { $_POST['onclick']=empty($_POST['onclick'])?0:$_POST['onclick']; $sql="update ".NEWSD." set title='$_POST[title]',classid='$_POST[classid]',ftitle='$_POST[ftitle]',keyboard='$_POST[key]',onclick='$_POST[onclick]',smalltext='$_POST[smalltext]',titlepic='$pname',ispic='$ispic',lastedittime='".time()."' where nid= $_GET[newsid]"; $re=$this->db->query($sql); $sql="update ".NEWSDATA." set con='$_POST[body]' where nid= $_GET[newsid]"; $re=$this->db->query($sql); } } global $config,$buid,$bcid; if(!empty($_FILES['img_url'])&&is_uploaded_file($_FILES['img_url']['tmp_name'])) { if(!empty($_POST['pic'])) { $file=$config['webroot']."/uploadfile/news/".$_POST['pic']; @unlink($file); $file=$config['webroot']."/uploadfile/news/big/".$_POST['pic']; @unlink($file); } $pname=time().".jpg"; $savefile=$config['webroot']."/uploadfile/news/".$pname; $bsavefile=$config['webroot']."/uploadfile/news/big/".$pname; makethumb($_FILES['img_url']['tmp_name'],$savefile,140,125); makethumb($_FILES['img_url']['tmp_name'],$bsavefile,275,200); } if(!empty($_POST['pic']) and empty($pname)) { $pname=$_POST['pic']; } if(empty($pname)) { $ispic=0; } else { $ispic=1; } if(empty($_POST['smalltext'])) { $con=$_POST['body']; $str = explode('<p>',$con); foreach($str as $i=>$k) { $val=trim(strip_tags($k)); if(!empty($val)) { $_POST['smalltext']=$val; break; } } } if($type=="add") { //----------------------- $ifpay=empty($_SESSION["IFPAY"])?1:$_SESSION["IFPAY"]; if($config['replace_outside_link_'.$ifpay]==1) { $_POST["smalltext"]=replace_outside_link($_POST["smalltext"]); $_POST["body"]=replace_outside_link($_POST["body"]); } //---------------------- $statu=$config['infoCheck_'.$ifpay]; $sql="INSERT ".NEWSD."(classid,title,ftitle,keyboard,ispass,titlefont,uid,company_id,uptime,smalltext,writer,titlepic,ispic,lastedittime,imgs_url,videos_url,ispl,userfen,newstempid,source) VALUES ('$_POST[classid]','$_POST[title]','$_POST[ftitle]','$_POST[key]','$statu','','$buid','$bcid','".time()."','$_POST[smalltext]','$buser','$pname','$ispic','".time()."','','','0','0','0','')"; $re=$this->db->query($sql); $id=$this->db->lastid(); $sql="INSERT INTO ".NEWSDATA." (nid,con) values ('$id','$_POST[body]')"; $re=$this->db->query($sql); include("includes/point_inc.php"); if($point_config['point']=='1'&&$point_config['add_news']!='0') renew_point('',$point_config['add_news']); } if($type=="edit") { $_POST['onclick']=empty($_POST['onclick'])?0:$_POST['onclick']; $sql="update ".NEWSD." set title='$_POST[title]',classid='$_POST[classid]',ftitle='$_POST[ftitle]',keyboard='$_POST[key]',onclick='$_POST[onclick]',smalltext='$_POST[smalltext]',titlepic='$pname',ispic='$ispic',lastedittime='".time()."' where nid= $_GET[newsid]"; $re=$this->db->query($sql); $sql="update ".NEWSDATA." set con='$_POST[body]' where nid= $_GET[newsid]"; //newsid参数 $re=$this->db->query($sql); } }
存在平行权限的还有很多,开发人员在好好看看
漏洞证明:短信息越权,改变id参数即可
订阅越权更改editid参数
任意删除他人广告越权参数deid
商友越权,任意查看他人商友信息参数editid
修改子账户越权editid参数
其他的就不再截图演示了
验证属性 一起提交了 希望审核给点力,做个前台啊
危害等级:无影响厂商忽略
忽略时间:2014-12-30 14:44
暂无
