乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-12-25: 细节已通知厂商并且等待厂商处理中 2013-12-30: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放 2014-02-23: 细节向核心白帽子及相关领域专家公开 2014-03-05: 细节向普通白帽子公开 2014-03-15: 细节向实习白帽子公开 2014-03-22: 细节向公众公开
PHPSHE电商程序SQL注入5
在商品列表处,有特殊参数没有过滤,导致SQL注入。在/module/index/product.php文件。来看看商品列表代码:
//#####################@ 商品列表 @#####################// case 'list': $category_id = intval($id); $info = $db->pe_select('category', array('category_id'=>$category_id)); //搜索 $sqlwhere = " and `product_state` = 1"; pe_lead('hook/category.hook.php'); if ($category_id) { $sqlwhere .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'"; } $_g_keyword && $sqlwhere .= " and `product_name` like '%".pe_dbhold($_g_keyword)."%'"; if ($_g_orderby) { $orderby = explode('_', $_g_orderby);//将参数分割 $sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";//将分割后的参数直接带入 } else { $sqlwhere .= " order by `product_id` desc"; } $info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));//进入sql语句 //热卖排行 $product_hotlist = product_hotlist(); //当前路径 $nowpath = category_path($category_id); $seo = pe_seo($info['category_name']); include(pe_tpl('product_list.html')); break;
跟进pe_selectall函数:
public function pe_selectall($table, $where = '', $field = '*', $limit_page = array()) { //处理条件语句 $sqlwhere = $this->_dowhere($where); return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page); }protected function _dowhere($where) { if (is_array($where)) { foreach ($where as $k => $v) { if (is_array($v)) { $where_arr[] = "`{$k}` in('".implode("','", $v)."')"; } else { in_array($k, array('order by', 'group by')) ? ($sqlby = " {$k} {$v}") : ($where_arr[] = "`{$k}` = '{$v}'"); } } $sqlwhere = is_array($where_arr) ? 'where '.implode($where_arr, ' and ').$sqlby : $sqlby; } else { $where && $sqlwhere = (stripos(trim($where), 'order by') === 0 or stripos(trim($where), 'group by') === 0) ? "{$where}" : "where 1 {$where}"; } return $sqlwhere; }
从上面的代码中看出在参数orderby处,没有过滤,导致sql注入。
对orderby参数添加一下内容,如图:
sql语句成功执行。这里还有报路径漏洞。
过滤
危害等级:无影响厂商忽略
忽略时间:2014-03-22 10:01
2014-05-19:感谢@xfkxfk 提供代码审计,sql注入漏洞已修复!