php cloud talent system UC API not initialized injection vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201442424
Type myhack58
Reporter Matt@乌云
Modified 2014-02-20T00:00:00


Detailed description:




require_once(dirname(dirname(dirname(FILE)))."/ data/db.config.php");

require_once(dirname(dirname(dirname(FILE)))."/ include/mysql.class.php");

$db = new mysql($db_config['dbhost'], $db_config['dbuser'], $db_config['dbpass'], $db_config['dbname'], ALL_PS, $db_config['charset']);

//Calculated from the notification to verify the results

$alipayNotify = new AlipayNotify($aliapy_config);

$verify_result = $alipayNotify->verifyNotify();//there is a validation validation can be bypassed

if($verify_result) {//validation successful

echo 2 2 2; ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// ////////////////

//Please here plus merchant service logic program generation

//--Please according to your business logic to write a program the following code is for reference only-the

//Get the PayPal notification of the return parameter, refer to the technical documentation of the server asynchronous notification parameter list

$out_trade_no = $_POST['out_trade_no']; //get the order number

$trade_no = $_POST['trade_no']; //get the PayPal transaction number

$total = $_POST['price']; //get total price

$sql=$db->query("select * from ".$ db_config["def"]."company_order where order_id='$out_trade_no'");//here we are injecting

echo "select * from ".$ db_config["def"]."company_order where order_id='$out_trade_no'";


$sOld_trade_status = $row['order_state'];

if($_POST['trade_status'] == 'WAIT_BUYER_PAY') {

Verification code:

function verifyNotify(){

if(empty($_POST)) {//determine the POST to the array is empty

return false;


else {

//Generate the signature result

$mysign = $this->getMysign($_POST);//this will generate a KEY we talk about

echo $mysign."||";

function getMysign($para_temp) {

//Removed to be the signature parameters in an array a null value and the signature parameters

$para_filter = paraFilter($para_temp);

//Treat the signature parameter array sort

$para_sort = argSort($para_filter);

//Generate the signature result

echo trim($this->aliapy_config['key'])."::". strtoupper(trim($this->aliapy_config['sign_type'])).": x:";

$mysign = buildMysign($para_sort, trim($this->aliapy_config['key']), strtoupper(trim($this->aliapy_config['sign_type'])));//you can see here the use of a KEY for encryption this KEY is there a default value we can construct a transit to produce a KEY to inject now!

return $mysign;


Vulnerability to prove:

Transfer procedures are as follows


<? php

function paraFilter($para) {

$para_filter = array();

while (list ($key, $val) = each ($para)) {

if($key == "sign" || $key == "sign_type" || $val == "")continue;

else $para_filter[$key] = $para[$key];


return $para_filter;


function argSort($para) {



return $para;


function createLinkstring($para) {

$arg = "";

while (list ($key, $val) = each ($para)) {

[1] [2] next