乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-12-16: 积极联系厂商并且等待厂商认领中,细节不对外公开 2015-03-16: 厂商已经主动忽略漏洞,细节向公众公开
iWebShop开源电子商务系统最新版2014-11-18存在SQL注入漏洞.
首先,这个洞与我在360补天提交的不一样。需要登陆后台,漏洞在iwebshop\controllers\market.php页面,$id参数未过滤
function ticket_status() { $status = IReq::get('status'); $id = IReq::get('id'); $ticket_id = IReq::get('ticket_id'); if(!empty($id) && $status != null && $ticket_id != null) { $ticketObj = new IModel('prop'); if(is_array($id)) { foreach($id as $val) { $where = 'id = '.$val; $ticketRow = $ticketObj->getObj($where,$status); if($ticketRow[$status]==1) { $ticketObj->setData(array($status => 0)); } else { $ticketObj->setData(array($status => 1)); } $ticketObj->update($where); } } else { $where = 'id = '.$id; $ticketRow = $ticketObj->getObj($where,$status); if($ticketRow[$status]==1) { $ticketObj->setData(array($status => 0)); } else { $ticketObj->setData(array($status => 1)); } $ticketObj->update($where); } $this->redirect('ticket_more_list/ticket_id/'.$ticket_id); } else { $this->ticket_id = $ticket_id; $this->redirect('ticket_more_list',false); Util::showMessage('请选择要修改的id值'); } }
看下调用的IReq::get('id')req_class.php
public static function get($key, $type=false) { //默认方式 if($type==false) { if(isset($_GET[$key])) return $_GET[$key]; else if(isset($_POST[$key])) return $_POST[$key]; else return null; } //get方式 else if($type=='get' && isset($_GET[$key])) return $_GET[$key]; //post方式 else if($type=='post' && isset($_POST[$key])) return $_POST[$key]; //无匹配 else return null; }
然后带入model_class.php的function update()
public function update($where,$except=array()) { $except = is_array($except) ? $except : array($except); //获取更新数据 $tableObj = $this->tableData; $updateStr = ''; $where = (strtolower($where) == 'all') ? '' : ' WHERE '.$where; foreach($tableObj as $key => $val) { if($updateStr != '') $updateStr.=' , '; if(!in_array($key,$except)) $updateStr.= '`'.$key.'` = \''.$val.'\''; else $updateStr.= '`'.$key.'` = '.$val; } $sql = 'UPDATE '.$this->tableName.' SET '.$updateStr.$where; return $this->db->query($sql); }
最后看下提交的数据与结果,需要cookie
你们懂。
未能联系到厂商或者厂商积极拒绝