乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-12-18: 积极联系厂商并且等待厂商认领中,细节不对外公开 2014-03-18: 厂商已经主动忽略漏洞,细节向公众公开
易想团购#sql注入
http://127.0.0.1/easethink/message.php?act=
if($_REQUEST['act'] == 'add'){ if(!$user_info) { showErr($GLOBALS['lang']['PLEASE_LOGIN_FIRST']); } if($_REQUEST['content']=='') { showErr($GLOBALS['lang']['MESSAGE_CONTENT_EMPTY']); } if(!check_ipop_limit(get_client_ip(),"message",intval(app_conf("SUBMIT_DELAY")),0)) { showErr($GLOBALS['lang']['MESSAGE_SUBMIT_FAST']); } $rel_table = $_REQUEST['rel_table']; $message_type = $GLOBALS['db']->getRowCached("select * from ".DB_PREFIX."message_type where type_name='".$rel_table."'"); if(!$message_type) { showErr($GLOBALS['lang']['INVALID_MESSAGE_TYPE']); } $message_group = $_REQUEST['message_group']; //添加留言 $message['title'] = htmlspecialchars(addslashes($_REQUEST['content'])); $message['content'] = htmlspecialchars(addslashes($_REQUEST['content'])); if($message_group) { $message['title']="[".$message_group."]:".$message['title']; $message['content']="[".$message_group."]:".$message['content']; } $message['create_time'] = get_gmtime(); $message['rel_table'] = $rel_table; $message['rel_id'] = $_REQUEST['rel_id']; $message['user_id'] = intval($GLOBALS['user_info']['id']); $message['city_id'] = $deal_city['id']; if(app_conf("USER_MESSAGE_AUTO_EFFECT")==0) { $message_effect = 0; } else { $message_effect = $message_type['is_effect']; } $message['is_effect'] = $message_effect; $GLOBALS['db']->autoExecute(DB_PREFIX."message",$message); showSuccess($GLOBALS['lang']['MESSAGE_POST_SUCCESS']); }else{ $rel_table = $_REQUEST['act']; $message_type = $GLOBALS['db']->getRowCached("select * from ".DB_PREFIX."message_type where type_name='".$rel_table."'");
参数act 未做过滤导致直接带入数据库查询。导致注入。
过滤
未能联系到厂商或者厂商积极拒绝