当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-093146

漏洞标题:PHPB2B三处sql注入

相关厂商:phpb2b.com

漏洞作者: loopx9

提交时间:2015-01-28 10:59

修复时间:2015-04-28 11:00

公开时间:2015-04-28 11:00

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:8

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-01-28: 细节已通知厂商并且等待厂商处理中
2015-01-29: 厂商已经确认,细节仅向厂商公开
2015-02-01: 细节向第三方安全合作伙伴开放
2015-03-25: 细节向核心白帽子及相关领域专家公开
2015-04-04: 细节向普通白帽子公开
2015-04-14: 细节向实习白帽子公开
2015-04-28: 细节向公众公开

简要描述:

三处sql注射打包

详细说明:

\virtual-office\offer.php:

if (isset($_POST['del']) && !empty($_POST['tradeid'])) {
    $tRes = $trade->del($_POST['tradeid'], "member_id = ".$the_memberid);
    if($tRes) $pdb->Execute("DELETE from {$tb_prefix}tradefields WHERE member_id={$the_memberid} AND trade_id IN (".implode(",",$_POST['tradeid']).")");//注入1:没有过滤,也没有引号保护,直接进入sql语句
}
if(isset($_POST['refresh'])){
    if (!empty($_POST['refresh']) && !empty($_POST['tradeid'])) {
        $vals = array();
        $pre_submittime = $pdb->GetOne("select max(submit_time) from {$tb_prefix}trades where member_id=".$the_memberid);
        if ($pre_submittime>($time_stamp-$tMaxDay*86400)) {
            flash("allow_refresh_day");
        }
        $vals['submit_time'] = $time_stamp;
        $vals['expire_days'] = 10;
        $vals['expire_time'] = $time_stamp+(24*3600*$vals['expire_days']);
        $conditions[]= "status='1'";
        $ids = implode(",", $_POST['tradeid']);//注入2 ,同上
        $conditions[]= "id in (".$ids.")";
        $condition = implode(" AND ", $conditions);
        $sql = "update ".$trade->getTable()." set submit_time=".$time_stamp.",expire_days=10,expire_time=".$vals['expire_time']." where ".$condition;
        $result = $pdb->Execute($sql);
        if ($result) {
            flash("success");
        }else{
            flash("action_failed");
        }
    }
}

\virtual-office\link.php:

if (isset($_POST['delete'])) {
    $deleted = false;
    if (is_array($_POST['id'])) {  //注入3
        $ids = "(".implode(",", $_POST['id']).")"; //也没有引号保护
        $deleted = $pdb->Execute("DELETE FROM {$tb_prefix}spacelinks WHERE member_id={$the_memberid} AND id IN $ids");
        if($deleted){
            flash("success");
        }else{
            flash();
        }
    }else{
        flash("no_data_deleted");
    }
}

漏洞证明:

注册企业会员,发布供求信息,然后删除:

1.png


sql日志:

2.png


注入二:

3.png


sql日志:

4.png


第三处注入:
添加合作伙伴,然后删除:
http://localhost/phpb2b/virtual-office/link.php?do=edit

5.png


sql日志:

6.png

修复方案:

过滤。

版权声明:转载请注明来源 loopx9@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2015-01-29 10:20

厂商回复:

已确认,正在修复

最新状态:

暂无