当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-077934

漏洞标题:CuuMall免费开源商城系统 sql多处注入

相关厂商:cuumall.com

漏洞作者: menmen519

提交时间:2014-10-02 10:18

修复时间:2014-12-31 10:20

公开时间:2014-12-31 10:20

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-10-02: 细节已通知厂商并且等待厂商处理中
2014-10-09: 厂商已经确认,细节仅向厂商公开
2014-10-12: 细节向第三方安全合作伙伴开放
2014-12-03: 细节向核心白帽子及相关领域专家公开
2014-12-13: 细节向普通白帽子公开
2014-12-23: 细节向实习白帽子公开
2014-12-31: 细节向公众公开

简要描述:

CuuMall免费开源商城系统 sql多处注入

详细说明:

直接看代码:
SearchAction.class.php(71-109):

public function Exsearch( )
				{
								$pinpai = $_POST['pinpai'];
								$pr1 = $_POST['pr1'];
								$pr2 = $_POST['pr2'];
								$key_word = $_POST['key_word'];
								if ( $pinpai == 0 )
								{
												$pinpai = "";
								}
								if ( $pinpai != "" )
								{
												$sql1 = "pinpai=".$pinpai." and ";
								}
								else
								{
												$sql1 = "";
								}
								if ( $pr1 != "" )
								{
												$sql2 = "memprice>".$pr1." and ";
								}
								else
								{
												$sql2 = "";
								}
								if ( $pr2 != "" )
								{
												$sql3 = "memprice<".$pr2." and ";
								}
								else
								{
												$sql3 = "";
								}
								$title = c( "MALLTITLE" )."-".$key_word;
								$this->assign( "title", $title );
								$header = a( "Header" );
								$header->index( );
								$list = new Model( "produc" );
								import( "ORG.Util.Page" );
								$count = $list->where( $sql1.$sql2.$sql3."title like '%".$key_word."%' and body like '%".$key_word."%'" )->count( );
								$page = new Page( $count, 24 );


发现了没有这里的
$pinpai $pr1 $pr2 都不在引号里面 我们做一个测试
url:
http://192.168.10.70/cuumall_v2.3/v2.3/mall_upload/index.php/home/search/Exsearch
postdata:
pinpai=1 and 1=1&pr1=1&pr2=2
访问之后抓取sql语句:
SELECT COUNT(*) AS tp_count FROM `cuu_produc` WHERE pinpai=1 and 1=1 and memprice>1 and memprice<2 and title like '%%' and body like '%%' LIMIT 1
看到了没有1=1 完全进入到sql语句中间
我们在看下一个 :
还是这个文件:
135行 172:

public function px( )
				{
								$order = $_GET['order'];
								$title = c( "MALLTITLE" );
								$this->assign( "title", $title );
								$header = a( "Header" );
								$header->index( );
								$list = new Model( "produc" );
								import( "ORG.Util.Page" );
								if ( $order == "addtime" )
								{
												$count = $list->count( );
								}
								else
								{
												$count = $list->where( $order."=1" )->count( );
								}
								$page = new Page( $count, 24 );
								$show = $page->show( );
								if ( $order == "addtime" )
								{
												$pro = $list->order( $order." desc" )->limit( $page->firstRow.",".$page->listRows )->select( );
								}
								else
								{
												$pro = $list->where( $order."=1" )->order( "addtime desc" )->limit( $page->firstRow.",".$page->listRows )->select( );
								}
								$pro = $this->bakimg( $pro );
								$this->assign( "page", $show );
								$this->assign( "pro", $pro );
								$lm = new Model( "lanmu_one" );
								$d_lm = $lm->select( );
								$this->assign( "d_lm", $d_lm );
								$pp = $this->pinpai( );
								$this->assign( "pp", $pp );
								$this->display( "Home:searchlist" );
								$bu = new ButtomAction( );
								$bu->Index( );


看到了没有$order = $_GET['order']; 没有做处理
$count = $list->where( $order."=1" )->count( );
原理一样,这里就不演示了

漏洞证明:

修复方案:

版权声明:转载请注明来源 menmen519@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2014-10-09 13:39

厂商回复:

感谢

最新状态:

暂无