乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-02-18: 积极联系厂商并且等待厂商认领中,细节不对外公开 2014-05-19: 厂商已经主动忽略漏洞,细节向公众公开
多个文件SQL注入
search.php(BIWEB企业版几乎所有的该文件都存在这个问题)举例:Product/search.php 文件24-60行(不止这一处)
if(!empty($_REQUEST['product_name'])){ $strKeywords = strval(urldecode(trim($_REQUEST['product_name'])));//只是进行了简单的过滤空格和url解码 $arrKeywords = explode(" ",$strKeywords);//将关键词用空格进行分割 $newArrKeywords = array(); foreach($arrKeywords as $val){ if(trim($val)!=""){ $newArrKeywords[] = $val; //不为空则赋值 } } if(count($newArrKeywords)>1){//为数组时的逻辑处理 foreach($newArrKeywords as $key=>$val){ $arrWhere[] = "`title` LIKE '%$val%' OR `summary` LIKE '%$val%' OR `intro` LIKE '%$val%'";//这里进行了SQL语句的拼接,变量val可控 if($key!=0){ $strKeyword .= " , ".$val; }else{ $strKeyword .= $val; } } }else{ $arrWhere[] = "`title` LIKE '%$newArrKeywords[0]%' OR `summary` LIKE '%$newArrKeywords[0]%'"; $strKeyword = $newArrKeywords[0]; } $arrLink[] = 'keywords=' . urlencode(trim($_REQUEST['keywords']));}else check::AlertExit("错误:关键词必须填写!",-1);if (empty($_GET['page'])) { $intPage = 1 ;} else { $intPage = intval($_GET['page']);}$strWhere = implode(' AND ',$arrWhere);$strWhere = 'where '.$strWhere;$arrInfoList = $objWebInit->getInfoList($strWhere,' ORDER BY topflag DESC,submit_date DESC',($intPage-1)*$arrGPage['page_size'],$arrGPage['page_size'],'*');跟踪函数getInfoList public function getInfoList($where='',$order='',$intStartID = 0,$intListNum = 0,$field = '*',$arrData = array(),$blCount = true,$blComplex = false){ $table = $this->tablename1; $arrData=(empty($arrData)?array():$arrData); $limit = ''; if($blComplex){ if($where != '') $where .= " and id <= ( SELECT id FROM `$table` $order LIMIT $intStartID, 1 )"; else $where = " where id <= ( SELECT id FROM `$table` $order LIMIT $intStartID, 1 )"; } if (!empty($order)) { $limit .= $order; } if (!empty($intListNum)) $limit .= " LIMIT " . $intStartID .','. $intListNum; $blFetch = false; if($field === true) { $arrDBfield = $this->arrGPdoDB['db_table_field']; unset($arrDBfield['structon_tb']); $field = implode(',',array_keys($arrDBfield)); } $arrData = $this->selectDataG($table,$where,$limit,$field,$blFetch,$arrData,$blCount);//关键在这里,终于进入数据库查询函数 selectDataG,造成注入 if(isset($arrData[0]['structon_tb'])) $arrData = $this->loadTableFieldG($arrData); return $arrData; }
加单引号报错:
下图可以看到在数据库中的运算
intval
未能联系到厂商或者厂商积极拒绝