当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-065808

漏洞标题:TinyShop 多处SQL注入漏洞

相关厂商:tinyrise.com

漏洞作者: roker

提交时间:2014-06-23 17:34

修复时间:2014-09-21 17:36

公开时间:2014-09-21 17:36

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-06-23: 细节已通知厂商并且等待厂商处理中
2014-06-23: 厂商已经确认,细节仅向厂商公开
2014-06-26: 细节向第三方安全合作伙伴开放
2014-08-17: 细节向核心白帽子及相关领域专家公开
2014-08-27: 细节向普通白帽子公开
2014-09-06: 细节向实习白帽子公开
2014-09-21: 细节向公众公开

简要描述:

只看了2个文件。官网测试成功。

详细说明:

protected\controllers\simple.php
1

public function order_info(){
        $id = Filter::int(Req::args('id'));
        $product_id = Req::args('pid');
        $type = Req::args("type");
        if($this->checkOnline()){
            if($type=='groupbuy'){
                $model = new Model("groupbuy as gb");
                $item = $model->join("left join goods as go on gb.goods_id=go.id left join products as pr on pr.goods_id=gb.goods_id")->fields("*,pr.id as product_id,pr.store_nums")->where("gb.id=$id and pr.id=$product_id")->find();


pid没有过滤 无单引号 直接注入。不能报错,所以只能盲注。工具跑下。
官网:

tt1.jpg


2

public function order_status(){
        if($this->checkOnline()){
            $order_id = Req::get("order_id");
            if($order_id){
                $order = $this->model->table("order as od")->join("left join payment as pa on od.payment= pa.id")->fields("od.id,od.order_no,od.payment,od.pay_status,od.order_amount,pa.pay_name as payname,od.type")->where("od.id=$order_id and od.status<4 and od.user_id = ".$this->user['id'])->find();
                if($order){

order_id
没有过滤 同样是盲注.
3

public function order_act(){
        if($this->checkOnline()){
            $address_id = Filter::int(Req::args('address_id'));
            $payment_id = Filter::int(Req::args('payment_id'));
            $prom_id = Filter::int(Req::args('prom_id'));
            $is_invoice = Filter::int(Req::args('is_invoice'));
            $invoice_type = Filter::int(Req::args('invoice_type'));
            $invoice_title = Filter::int(Req::args('invoice_title'));
            $user_remark = Filter::txt(Req::args('user_remark'));
            $voucher_id = Filter::int(Req::args('voucher'));
            //非普通促销信息
            $type = Req::args("type");
            $id = Filter::int(Req::args('id'));
            $product_id = Req::args('product_id');
            $buy_num = Req::args('buy_num');
            if(!$address_id || !$payment_id){
                if(is_array($product_id))$product_id = implode('-', $product_id);
                $data = Req::args();
                if(!$address_id) $data['msg'] = array('fail',"必需选择收货地址,才能确认订单。");
                else $data['msg'] = array('fail',"必需选择支付方式,才能确认订单。");
                if($type==null)$this->redirect("order",false,$data);
                else {
                    unset($data['act']);
                    Req::args('pid',$product_id);
                    Req::args('id',$id);
                    unset($_GET['act']);
                    Req::args('type',$type);
                    Req::args('msg',$data['msg']);
                    $this->redirect("/simple/order_info",true,Req::args());
                }
                exit;
            }
            //订单类型: 0普通订单 1团购订单 2限时抢购 3捆绑促销
            $order_type = 0;
            $model = new Model('');
            //团购处理
            if($type=="groupbuy"){
                $product_id = $product_id[0];
                $num = $buy_num[0];
                $item = $model->table("groupbuy as gb")->join("left join goods as go on gb.goods_id=go.id left join products as pr on pr.id=$product_id")->fields("*,pr.id as product_id,pr.spec")->where("gb.id=$id")->find();
                $order_products = .....


product_id 参数没有过滤。
4

public function get_voucher(){
        $page = Req::args("page");
        $amount = Req::args("amount");
        $where = "user_id = ".$this->user['id']." and is_send = 1";
        $where .= " and status = 0 and '".date("Y-m-d H:i:s")."' <=end_time and '".date("Y-m-d H:i:s")."' >=start_time and money<=".$amount;


$amount
上面四个 注册用户后登入,盲注的话,工具跑下就可以了(如第一处 示例所以)。

漏洞证明:

tt1.jpg

修复方案:

加强过滤

版权声明:转载请注明来源 roker@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2014-06-23 20:54

厂商回复:

谢谢您的反馈,我们会尽快修复的,关于shop系统的SQL注入的问题请不要再重复提交漏洞了,我们会对全系统进行一次详细的排查,再次表示感谢。

最新状态:

暂无