当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-046319

漏洞标题:易想团购开源版#sql注入01

相关厂商:易想团购系统

漏洞作者: m1x7e1

提交时间:2013-12-18 11:48

修复时间:2014-03-18 11:49

公开时间:2014-03-18 11:49

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:14

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-12-18: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-03-18: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

易想团购#sql注入

详细说明:

http://127.0.0.1/easethink/message.php?act= 

if($_REQUEST['act'] == 'add')
{
	if(!$user_info)
	{
		showErr($GLOBALS['lang']['PLEASE_LOGIN_FIRST']);
	}
	if($_REQUEST['content']=='')
	{
		showErr($GLOBALS['lang']['MESSAGE_CONTENT_EMPTY']);
	}
	if(!check_ipop_limit(get_client_ip(),"message",intval(app_conf("SUBMIT_DELAY")),0))
	{
		showErr($GLOBALS['lang']['MESSAGE_SUBMIT_FAST']);
	}
	
	$rel_table = $_REQUEST['rel_table'];
	$message_type = $GLOBALS['db']->getRowCached("select * from ".DB_PREFIX."message_type where type_name='".$rel_table."'");
	if(!$message_type)
	{
		showErr($GLOBALS['lang']['INVALID_MESSAGE_TYPE']);
	}
	
	$message_group = $_REQUEST['message_group'];
	//添加留言
	$message['title'] = htmlspecialchars(addslashes($_REQUEST['content']));
	$message['content'] = htmlspecialchars(addslashes($_REQUEST['content']));
	if($message_group)
	{
		$message['title']="[".$message_group."]:".$message['title'];
		$message['content']="[".$message_group."]:".$message['content'];
	}
	
	$message['create_time'] = get_gmtime();
	$message['rel_table'] = $rel_table;
	$message['rel_id'] = $_REQUEST['rel_id'];
	$message['user_id'] = intval($GLOBALS['user_info']['id']);
	$message['city_id'] = $deal_city['id'];
	if(app_conf("USER_MESSAGE_AUTO_EFFECT")==0)
	{
		$message_effect = 0;
	}
	else
	{
		$message_effect = $message_type['is_effect'];
	}
	$message['is_effect'] = $message_effect;
	
	$GLOBALS['db']->autoExecute(DB_PREFIX."message",$message);
	showSuccess($GLOBALS['lang']['MESSAGE_POST_SUCCESS']);
	
}
else
{
	$rel_table = $_REQUEST['act'];
	$message_type = $GLOBALS['db']->getRowCached("select * from ".DB_PREFIX."message_type where type_name='".$rel_table."'");


参数act 未做过滤导致直接带入数据库查询。导致注入。

easethinksql.jpg


漏洞证明:

easethinksql.jpg

修复方案:

过滤

版权声明:转载请注明来源 m1x7e1@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝