网站地图    收藏   

主页 > 后端 > 网站安全 >

PHPB2B 最新版sql注射无限充值(官网demo成功) -

来源:自学PHP网    时间:2015-04-16 23:15 作者: 阅读:

[导读] rt详细说明:看到注册用户处if(isset($_POST[register])){$is_company = false;$if_need_check = false;$register_type = trim($_POST[register]);$register_typename = trim($_POST[typename]);p...

rt

详细说明:

看到注册用户处

if(isset($_POST['register'])){
$is_company = false;
$if_need_check = false;
$register_type = trim($_POST['register']);
$register_typename = trim($_POST['typename']);
pb_submit_check('data');
$default_membergroupid_res = $pdb->GetRow("SELECT * FROM {$tb_prefix}membertypes WHERE name='".$register_typename."'");
$default_membergroupid = $default_membergroupid_res['default_membergroup_id'];
if(empty($default_membergroupid)) $default_membergroupid = $membergroup->field("id","is_default=1");
if ($default_membergroupid_res['id']>1) {
$is_company = true;
}
$member->setParams();
$memberfield->setParams();
$member->params['data']['member']['membergroup_id'] = $default_membergroupid;
$time_limits = $pdb->GetOne("SELECT default_live_time FROM {$tb_prefix}membergroups WHERE id={$default_membergroupid}");
$member->params['data']['member']['service_start_date'] = $time_stamp;
$member->params['data']['member']['service_end_date'] = $membergroup->getServiceEndtime($time_limits);
$member->params['data']['member']['membertype_id'] = ($is_company)?2:1;
if($member_reg_auth=="1" || $member_reg_auth!=0 || !empty($G['setting']['new_userauth'])){
$member->params['data']['member']['status'] = 0;
$if_need_check = true;
}else{
$member->params['data']['member']['status'] = 1;
}
$updated = false;
$updated = $member->Add();



跟进add

function Add()
{
global $_PB_CACHE, $memberfield, $phpb2b_auth_key, $if_need_check;
$error_msg = array();
if (empty($this->params['data']['member']['username']) or
empty($this->params['data']['member']['userpass']) or
empty($this->params['data']['member']['email'])) return false;
$space_name = $this->params['data']['member']['username'];
$userpass = $this->params['data']['member']['userpass'];
$this->params['data']['member']['userpass'] = $this->authPasswd($this->params['data']['member']['userpass']);
if(empty($this->params['data']['member']['space_name']))
$this->params['data']['member']['space_name'] = PbController::toAlphabets($space_name);//Todo:
$uip = pb_ip2long(pb_getenv('REMOTE_ADDR'));
if(empty($uip)){
pheader("location:".URL."redirect.php?message=".urlencode(L('sys_error')));
}
$this->params['data']['member']['last_login'] = $this->params['data']['member']['created'] = $this->params['data']['member']['modified'] = $this->timestamp;
$this->params['data']['member']['last_ip'] = pb_get_client_ip('str');
$email_exists = $this->checkUserExistsByEmail($this->params['data']['member']['email']);
if ($email_exists) {
flash("email_exists", null, 0);
}
$if_exists = $this->checkUserExist($this->params['data']['member']['username']);
if ($if_exists) {
flash('member_has_exists', null, 0);
}else{
$this->save($this->params['data']['member']);



save 函数把我们的post数据 做了foreach

function save($obj_name, $obj_id, $data)
{
if (empty($data)) {
return false;
}
foreach ($data as $key=>$val) {
if (in_array($key, array('title', 'keyword', 'description'))) {
$this->add($obj_id, $obj_name, $key, $val);
}



官网测试下

我们注册用户时。抓包,添加参数

data%5Bmember%5D%5Bbalance_amount%5D=9999.99





1.jpg



成功充值。。

2.jpg

漏洞证明:

2.jpg

修复方案:

你们更加专业

自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习

京ICP备14009008号-1@版权所有www.zixuephp.com

网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com

添加评论