Shopex ctl. passport. php file to an SQL injection vulnerability analysis report-vulnerability warning-the black bar safety net

ID MYHACK58:62201340436
Type myhack58
Reporter 不详
Modified 2013-09-06T00:00:00


This vulnerability has been announced in the company to do vulnerability analysis, just share the document.

Vulnerability is the author of the blue

The exploitability of the vulnerability please see:

Part of the code the zend encryption, analysis is required before decryption.

Black knife download address: 0 4 5 6 3 7 7 3 7

Vulnerabilities in the registration place, to the file\core\shop\controller\ctl. passport. php file

2 2 3 row create FUNCTION

function create() {

$account = &$this->system->loadModel('member/account'); // load account'module, the file in

$passport = &$this->system->loadModel('member/passport');


if( !$ info = $account->create($_POST,$message) ) {



Key in$account->create($_POST,$message) directly to the$_POST variable transmission in the past, this variable is inside the Save, we POST up all the data. Continue to follow up,

在 core\model_v5\member\mdl.account.php

Put the registration data into the database.

See 3 1 row 0 of the create FUNCTION.

public function create( $data, &$message )



getrefer( $data );

$sql = $this->db->getInsertSQL( $rs, $data );

Getrefer function don't worry about it, follow up getInsertSQL, in the file core\include_v5\ AloneDB.php

public function GetInsertSQL( &$rs, $data, $autoup = false )


if ( ! function_exists( "db_get_insert_sql" ) )


require( CORE_INCLUDE_DIR."/ core/" );


return db_get_insert_sql( $this, $rs, $data, $autoup );


It's just the$data passed to the db_get_insert_sql function, continue to follow this function

In the core\include_v5\ db. class. php file found

Here the foreach a bit, and eventually more before POST a member_id is also brought into the database.

foreach ( $data as $key => $value )


$data[via strtolower( $key )] = $value;


Continue to the following

$insertValues = array( );

$col_count = mysql_num_fields( $rs['rs'] );

$i = 0;

for ( ; $i < $col_count; ++$i )


$column = mysql_fetch_field( $rs['rs'], $i );

if ( isset( $data[$column->name] ) )


$insertValues[$column->name] = db_quotevalue( $db, $data[$column->name], $column->type );



$strValue = implode( ",", $insertValues );

$strFields = implode( ",", array_keys( $insertValues ) );

mysql_field_seek( $rs['rs'], 0 );

return "INSERT INTO ".$ tableName." ( ".$ strFields." ) VALUES ( ".$ strValue." )";

The last row into the database, resulting in the injected generation.

So this exploit, you'll need to us at the time of registration more than POST a member_id can be injected. exp just does not provide.

With one of our Safekey team of a figure, we can obscenity under other places, like Big C said, the injection is not less, the Big C before the death knock. shopex a period of time, phpbug on the death knock phpcms v9.


Solution: 升级官网补丁