乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-06-23: 细节已通知厂商并且等待厂商处理中 2014-06-23: 厂商已经确认,细节仅向厂商公开 2014-06-26: 细节向第三方安全合作伙伴开放 2014-08-17: 细节向核心白帽子及相关领域专家公开 2014-08-27: 细节向普通白帽子公开 2014-09-06: 细节向实习白帽子公开 2014-09-21: 细节向公众公开
只看了2个文件。官网测试成功。
protected\controllers\simple.php1
public function order_info(){ $id = Filter::int(Req::args('id')); $product_id = Req::args('pid'); $type = Req::args("type"); if($this->checkOnline()){ if($type=='groupbuy'){ $model = new Model("groupbuy as gb"); $item = $model->join("left join goods as go on gb.goods_id=go.id left join products as pr on pr.goods_id=gb.goods_id")->fields("*,pr.id as product_id,pr.store_nums")->where("gb.id=$id and pr.id=$product_id")->find();
pid没有过滤 无单引号 直接注入。不能报错,所以只能盲注。工具跑下。官网:
2
public function order_status(){ if($this->checkOnline()){ $order_id = Req::get("order_id"); if($order_id){ $order = $this->model->table("order as od")->join("left join payment as pa on od.payment= pa.id")->fields("od.id,od.order_no,od.payment,od.pay_status,od.order_amount,pa.pay_name as payname,od.type")->where("od.id=$order_id and od.status<4 and od.user_id = ".$this->user['id'])->find(); if($order){
order_id没有过滤 同样是盲注.3
public function order_act(){ if($this->checkOnline()){ $address_id = Filter::int(Req::args('address_id')); $payment_id = Filter::int(Req::args('payment_id')); $prom_id = Filter::int(Req::args('prom_id')); $is_invoice = Filter::int(Req::args('is_invoice')); $invoice_type = Filter::int(Req::args('invoice_type')); $invoice_title = Filter::int(Req::args('invoice_title')); $user_remark = Filter::txt(Req::args('user_remark')); $voucher_id = Filter::int(Req::args('voucher')); //非普通促销信息 $type = Req::args("type"); $id = Filter::int(Req::args('id')); $product_id = Req::args('product_id'); $buy_num = Req::args('buy_num'); if(!$address_id || !$payment_id){ if(is_array($product_id))$product_id = implode('-', $product_id); $data = Req::args(); if(!$address_id) $data['msg'] = array('fail',"必需选择收货地址,才能确认订单。"); else $data['msg'] = array('fail',"必需选择支付方式,才能确认订单。"); if($type==null)$this->redirect("order",false,$data); else { unset($data['act']); Req::args('pid',$product_id); Req::args('id',$id); unset($_GET['act']); Req::args('type',$type); Req::args('msg',$data['msg']); $this->redirect("/simple/order_info",true,Req::args()); } exit; } //订单类型: 0普通订单 1团购订单 2限时抢购 3捆绑促销 $order_type = 0; $model = new Model(''); //团购处理 if($type=="groupbuy"){ $product_id = $product_id[0]; $num = $buy_num[0]; $item = $model->table("groupbuy as gb")->join("left join goods as go on gb.goods_id=go.id left join products as pr on pr.id=$product_id")->fields("*,pr.id as product_id,pr.spec")->where("gb.id=$id")->find(); $order_products = .....
product_id 参数没有过滤。4
public function get_voucher(){ $page = Req::args("page"); $amount = Req::args("amount"); $where = "user_id = ".$this->user['id']." and is_send = 1"; $where .= " and status = 0 and '".date("Y-m-d H:i:s")."' <=end_time and '".date("Y-m-d H:i:s")."' >=start_time and money<=".$amount;
$amount 上面四个 注册用户后登入,盲注的话,工具跑下就可以了(如第一处 示例所以)。
加强过滤
危害等级:高
漏洞Rank:15
确认时间:2014-06-23 20:54
谢谢您的反馈,我们会尽快修复的,关于shop系统的SQL注入的问题请不要再重复提交漏洞了,我们会对全系统进行一次详细的排查,再次表示感谢。
暂无