iwebshop Blind injection

摘要

漏洞文件/controllers/seller.php还是一样的获取方式，跟入del看下继续跟入还是一样的漏洞原因,直接贴图

漏洞文件/controllers/seller.php

public function goods_del()         {                 //post数据             $id = IFilter::act(IReq::get('id'));               //生成goods对象             $goods = new goods_class();             $goods->seller_id = $this->seller['seller_id'];               if($id)                 {                         if(is_array($id))                         {                                 foreach($id as $key => $val)                                 {                                         $goods->del($val);                                 }                         }                         else                         {                                 $goods->del($id);                         }                 }                 $this->redirect("goods_list");         }

还是一样的获取方式，跟入del看下

public function del($goods_id) {         $goodsWhere = " id = {$goods_id} ";         if($this->seller_id)         {                 $goodsWhere .= " and seller_id = ".$this->seller_id;         }         //删除商品表         $tb_goods = new IModel('goods');         if(!$tb_goods ->del($goodsWhere))         {                 return;         } }

继续跟入

public function del($where) {         $where = (strtolower($where) == 'all') ? '' : ' WHERE '.$where;         $sql   = 'DELETE FROM '.$this->tableName.$where;         echo $sql;         return $this->db->query($sql); }

还是一样的漏洞原因,直接贴图

payload还是一弹的那个商铺可以权限可以采用爆破的方式或者通过xss