当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-065808

漏洞标题:TinyShop 多处SQL注入漏洞

相关厂商:tinyrise.com

漏洞作者: roker

提交时间:2014-06-23 17:34

修复时间:2014-09-21 17:36

公开时间:2014-09-21 17:36

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-06-23: 细节已通知厂商并且等待厂商处理中
2014-06-23: 厂商已经确认,细节仅向厂商公开
2014-06-26: 细节向第三方安全合作伙伴开放
2014-08-17: 细节向核心白帽子及相关领域专家公开
2014-08-27: 细节向普通白帽子公开
2014-09-06: 细节向实习白帽子公开
2014-09-21: 细节向公众公开

简要描述:

只看了2个文件。官网测试成功。

详细说明:

protected\controllers\simple.php
1

public function order_info(){
$id = Filter::int(Req::args('id'));
$product_id = Req::args('pid');
$type = Req::args("type");
if($this->checkOnline()){
if($type=='groupbuy'){
$model = new Model("groupbuy as gb");
$item = $model->join("left join goods as go on gb.goods_id=go.id left join products as pr on pr.goods_id=gb.goods_id")->fields("*,pr.id as product_id,pr.store_nums")->where("gb.id=$id and pr.id=$product_id")->find();


pid没有过滤 无单引号 直接注入。不能报错,所以只能盲注。工具跑下。
官网:

tt1.jpg


2

public function order_status(){
if($this->checkOnline()){
$order_id = Req::get("order_id");
if($order_id){
$order = $this->model->table("order as od")->join("left join payment as pa on od.payment= pa.id")->fields("od.id,od.order_no,od.payment,od.pay_status,od.order_amount,pa.pay_name as payname,od.type")->where("od.id=$order_id and od.status<4 and od.user_id = ".$this->user['id'])->find();
if($order){

order_id
没有过滤 同样是盲注.
3

public function order_act(){
if($this->checkOnline()){
$address_id = Filter::int(Req::args('address_id'));
$payment_id = Filter::int(Req::args('payment_id'));
$prom_id = Filter::int(Req::args('prom_id'));
$is_invoice = Filter::int(Req::args('is_invoice'));
$invoice_type = Filter::int(Req::args('invoice_type'));
$invoice_title = Filter::int(Req::args('invoice_title'));
$user_remark = Filter::txt(Req::args('user_remark'));
$voucher_id = Filter::int(Req::args('voucher'));
//非普通促销信息
$type = Req::args("type");
$id = Filter::int(Req::args('id'));
$product_id = Req::args('product_id');
$buy_num = Req::args('buy_num');
if(!$address_id || !$payment_id){
if(is_array($product_id))$product_id = implode('-', $product_id);
$data = Req::args();
if(!$address_id) $data['msg'] = array('fail',"必需选择收货地址,才能确认订单。");
else $data['msg'] = array('fail',"必需选择支付方式,才能确认订单。");
if($type==null)$this->redirect("order",false,$data);
else {
unset($data['act']);
Req::args('pid',$product_id);
Req::args('id',$id);
unset($_GET['act']);
Req::args('type',$type);
Req::args('msg',$data['msg']);
$this->redirect("/simple/order_info",true,Req::args());
}
exit;
}
//订单类型: 0普通订单 1团购订单 2限时抢购 3捆绑促销
$order_type = 0;
$model = new Model('');
//团购处理
if($type=="groupbuy"){
$product_id = $product_id[0];
$num = $buy_num[0];
$item = $model->table("groupbuy as gb")->join("left join goods as go on gb.goods_id=go.id left join products as pr on pr.id=$product_id")->fields("*,pr.id as product_id,pr.spec")->where("gb.id=$id")->find();
$order_products = .....


product_id 参数没有过滤。
4

public function get_voucher(){
$page = Req::args("page");
$amount = Req::args("amount");
$where = "user_id = ".$this->user['id']." and is_send = 1";
$where .= " and status = 0 and '".date("Y-m-d H:i:s")."' <=end_time and '".date("Y-m-d H:i:s")."' >=start_time and money<=".$amount;


$amount
上面四个 注册用户后登入,盲注的话,工具跑下就可以了(如第一处 示例所以)。

漏洞证明:

tt1.jpg

修复方案:

加强过滤

版权声明:转载请注明来源 roker@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2014-06-23 20:54

厂商回复:

谢谢您的反馈,我们会尽快修复的,关于shop系统的SQL注入的问题请不要再重复提交漏洞了,我们会对全系统进行一次详细的排查,再次表示感谢。

最新状态:

暂无