shopex注入漏洞#2

- AV AC AU C I A
发布: 2025-04-13
修订: 2025-04-13

### 简要描述: 又是sql注入漏洞 测试版本:shopex-singel-4.8.5.78660 ### 详细说明: 文件:\core\shop\controller\ctl.member.php ``` function delTrackMsg() { if(!empty($_POST['deltrack'])){ $oMsg = &$this->system->loadModel('resources/msgbox'); $oMsg->delTrackMsg($_POST['deltrack']); $this->splash('success', $this->system->mkUrl("member","track"), __('删除成功')); }else{ $this->splash('failed', $this->system->mkUrl("member","track"), __('删除失败: 没有选中任何记录!')); } } ``` 跟进$oMsg->delTrackMsg($_POST['deltrack']); 在文件:\core\model_v5\resources\mdl.msgbox.php ``` public function delTrackMsg( $aMsgId ) { foreach ( $aMsgId as $val ) { if ( $val ) { $aTmp[] = $val; } } if ( $aTmp ) { $this->db->exec( "DELETE FROM sdb_message WHERE msg_id IN (".implode( ",", $aTmp ).") AND del_status='1'" ); $this->db->exec( "UPDATE sdb_message SET del_status='2' WHERE msg_id IN (".implode( ",", $aTmp ).")" ); } return true; } ``` 出现在DELETE语句的sql注入纯粹是体力活,通过是否删除了message作为判断依据慢慢查吧 提交数据包;deltrack[1]=1) and (select count(*) from...

0%
暂无可用Exp或PoC
当前有0条受影响产品信息