Square Victoria O2O business system SQL injection vulnerability+XXE entity injection demo validation-vulnerability warning-the black bar safety net

ID MYHACK58:62201567479
Type myhack58
Reporter story@乌云
Modified 2015-09-28T00:00:00


Square Victoria O2O, the demo site address: http://o2odemo.fanwe.net/


code area


require_once '../system/system_init.php';

$ip = CLIENT_IP;

$xml = file_get_contents('php://input');

if($ip!='' || $xml=="")


header("Content-Type:text/html; charset=utf-8");

echo "·Ç··ÃÎÊ";



$xml = str_replace(array("/r/n", "/r", "/n"), "", $xml);

$xml_arr = simplexml_load_string($xml);

Such as on behalf of the code. IP verification is possible using XFF bypass, directly behind the call to simplexml_load_string to parse the POST string, causing the XXE entity injection.

Because there is no output, so here is a“blind”, the Blind XXE。 Test the official demo, but the data packet is not issued to, may be due to many reasons. whether to support the external network, whether the underlying limit for XML entities, etc, anyway, my local is successful.

Here the read to a file through the base64 to my web log:

! QQ20150621-1@2x.png

This is not the focus.

Continue to look at the code behind, theSQL injectionis the focus:

code area

$xml_arr = simplexml_load_string($xml);

$SrcMobile = $xml_arr->Body->Message->SrcMobile;

$Content = $xml_arr->Body->Message->Content;

$RecvTime = $xml_arr->Body->Message->RecvTime;

$arr = explode("-",$Content);

$prefix = $arr[0];

if($prefix!=' u'&&$prefix!=' v')


if(log_coupon("","SMS content:".$ Content,$RecvTime)&&$SrcMobile)


$msg_data['dest'] = $SrcMobile;

$msg_data['send_type'] = 0;

$msg_data['content'] = "SMS format is error";

$msg_data['send_time'] = 0;

$msg_data['is_send'] = 0;

$msg_data['create_time'] = NOW_TIME;

$msg_data['user_id'] = 0;

$msg_data['is_html'] = 0;

$GLOBALS['db']->autoExecute(DB_PREFIX."deal_msg_list",$msg_data); //insert

echo "ok";




Visible from the xml read content, incoming the log_coupon function, follow up see:

code area

function log_coupon($coupon_sn,$msg,$query_id = ")


$data = array();

$data['coupon_sn'] = $coupon_sn;

$data['msg'] = $msg;

$data['query_id'] = $query_id;

$data['create_time'] = NOW_TIME;

if($GLOBALS['db']->getOne("select count(*) from ". DB_PREFIX."coupon_log where query_id = '".$ query_id."'")== 0)


$GLOBALS['db']->autoExecute(DB_PREFIX."coupon_log",$data); //insert

return true;




return false;



Visible query_id is XML in RecvTime directly into the SQL statement.

This demo Station can demonstrate that the delay of the injection. POST the following data package:

code area

POST /cpapi/qxtapi.php HTTP/1.1

Host: o2odemo.fanwe.net

Accept: /

Accept-Language: en

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)

Connection: close


Content-Length: 1 4 7



The <Body>


<SrcMobile>1 3 3 2 2 2 2 1 1 1 1</SrcMobile>

<Content>1 2 3 1 2 3</Content>





You can see the delay of 5 seconds before showing results.

Wrote a script to run the database user name. See the test code.

Vulnerability proof:

! QQ20150621-3@2x.png

! QQ20150621-2@2x.png