VULHUB ™

### 简要描述： CuuMall免费开源商城系统 sql多处注入 ### 详细说明： 直接看代码： SearchAction.class.php(71-109): ``` public function Exsearch( ) { $pinpai = $_POST['pinpai']; $pr1 = $_POST['pr1']; $pr2 = $_POST['pr2']; $key_word = $_POST['key_word']; if ( $pinpai == 0 ) { $pinpai = ""; } if ( $pinpai != "" ) { $sql1 = "pinpai=".$pinpai." and "; } else { $sql1 = ""; } if ( $pr1 != "" ) { $sql2 = "memprice>".$pr1." and "; } else { $sql2 = ""; } if ( $pr2 != "" ) { $sql3 = "memprice<".$pr2." and "; } else { $sql3 = ""; } $title = c( "MALLTITLE" )."-".$key_word; $this->assign( "title", $title ); $header = a( "Header" ); $header->index( ); $list = new Model( "produc" ); import( "ORG.Util.Page" ); $count = $list->where( $sql1.$sql2.$sql3."title like '%".$key_word."%' and body like '%".$key_word."%'" )->count( ); $page = new Page( $count, 24 ); ``` 发现了没有这里的 $pinpai $pr1 $pr2 都不在引号里面 我们做一个测试 url: http://192.168.10.70/cuumall_v2.3/v2.3/mall_upload/index.php/home/search/Exsearch postdata: pinpai=1 and 1=1&pr1=1&pr2=2...

### 简要描述： CuuMall免费开源商城系统 sql多处注入 ### 详细说明： 直接看代码： SearchAction.class.php(71-109): ``` public function Exsearch( ) { $pinpai = $_POST['pinpai']; $pr1 = $_POST['pr1']; $pr2 = $_POST['pr2']; $key_word = $_POST['key_word']; if ( $pinpai == 0 ) { $pinpai = ""; } if ( $pinpai != "" ) { $sql1 = "pinpai=".$pinpai." and "; } else { $sql1 = ""; } if ( $pr1 != "" ) { $sql2 = "memprice>".$pr1." and "; } else { $sql2 = ""; } if ( $pr2 != "" ) { $sql3 = "memprice<".$pr2." and "; } else { $sql3 = ""; } $title = c( "MALLTITLE" )."-".$key_word; $this->assign( "title", $title ); $header = a( "Header" ); $header->index( ); $list = new Model( "produc" ); import( "ORG.Util.Page" ); $count = $list->where( $sql1.$sql2.$sql3."title like '%".$key_word."%' and body like '%".$key_word."%'" )->count( ); $page = new Page( $count, 24 ); ``` 发现了没有这里的 $pinpai $pr1 $pr2 都不在引号里面 我们做一个测试 url: http://192.168.10.70/cuumall_v2.3/v2.3/mall_upload/index.php/home/search/Exsearch postdata: pinpai=1 and 1=1&pr1=1&pr2=2 访问之后抓取sql语句： SELECT COUNT(*) AS tp_count FROM `cuu_produc` WHERE pinpai=1 and 1=1 and memprice>1 and memprice<2 and title like '%%' and body like '%%' LIMIT 1 看到了没有1=1 完全进入到sql语句中间 我们在看下一个 ： 还是这个文件： 135行 172： ``` public function px( ) { $order = $_GET['order']; $title = c( "MALLTITLE" ); $this->assign( "title", $title ); $header = a( "Header" ); $header->index( ); $list = new Model( "produc" ); import( "ORG.Util.Page" ); if ( $order == "addtime" ) { $count = $list->count( ); } else { $count = $list->where( $order."=1" )->count( ); } $page = new Page( $count, 24 ); $show = $page->show( ); if ( $order == "addtime" ) { $pro = $list->order( $order." desc" )->limit( $page->firstRow.",".$page->listRows )->select( ); } else { $pro = $list->where( $order."=1" )->order( "addtime desc" )->limit( $page->firstRow.",".$page->listRows )->select( ); } $pro = $this->bakimg( $pro ); $this->assign( "page", $show ); $this->assign( "pro", $pro ); $lm = new Model( "lanmu_one" ); $d_lm = $lm->select( ); $this->assign( "d_lm", $d_lm ); $pp = $this->pinpai( ); $this->assign( "pp", $pp ); $this->display( "Home:searchlist" ); $bu = new ButtomAction( ); $bu->Index( ); ``` 看到了没有$order = $_GET['order']; 没有做处理 $count = $list->where( $order."=1" )->count( ); 原理一样,这里就不演示了 ### 漏洞证明：