Shopex ctl. passport. php file to an SQL injection vulnerability analysis report-vulnerability warning-the black bar safety net

2013-09-06T00:00:00
ID MYHACK58:62201340436
Type myhack58
Reporter 不详
Modified 2013-09-06T00:00:00

Description

This vulnerability has been announced in the company to do vulnerability analysis, just share the document.

Vulnerability is the author of the blue

The exploitability of the vulnerability please see: http://www.cnseay.com/3339/

Part of the code the zend encryption, analysis is required before decryption.

Black knife download address:

http://pan.baidu.com/share/link?shareid=126998888&uk=4 0 4 5 6 3 7 7 3 7

Vulnerabilities in the registration place, to the file\core\shop\controller\ctl. passport. php file

2 2 3 row create FUNCTION

function create() {

$account = &$this->system->loadModel('member/account'); // load account'module, the file in

$passport = &$this->system->loadModel('member/passport');

。。。。。。。

if( !$ info = $account->create($_POST,$message) ) {

$this->splash('failed','back',$message,",",$_POST['from_minipassport']);

}

Key in$account->create($_POST,$message) directly to the$_POST variable transmission in the past, this variable is inside the Save, we POST up all the data. Continue to follow up,

在 core\model_v5\member\mdl.account.php

Put the registration data into the database.

See 3 1 row 0 of the create FUNCTION.

public function create( $data, &$message )

{

............

getrefer( $data );

$sql = $this->db->getInsertSQL( $rs, $data );

Getrefer function don't worry about it, follow up getInsertSQL, in the file core\include_v5\ AloneDB.php

public function GetInsertSQL( &$rs, $data, $autoup = false )

{

if ( ! function_exists( "db_get_insert_sql" ) )

{

require( CORE_INCLUDE_DIR."/ core/db.tools.php" );

}

return db_get_insert_sql( $this, $rs, $data, $autoup );

}

It's just the$data passed to the db_get_insert_sql function, continue to follow this function

In the core\include_v5\ db. class. php file found

Here the foreach a bit, and eventually more before POST a member_id is also brought into the database.

foreach ( $data as $key => $value )

{

$data[via strtolower( $key )] = $value;

}

Continue to the following

$insertValues = array( );

$col_count = mysql_num_fields( $rs['rs'] );

$i = 0;

for ( ; $i < $col_count; ++$i )

{

$column = mysql_fetch_field( $rs['rs'], $i );

if ( isset( $data[$column->name] ) )

{

$insertValues[$column->name] = db_quotevalue( $db, $data[$column->name], $column->type );

}

}

$strValue = implode( ",", $insertValues );

$strFields = implode( ",", array_keys( $insertValues ) );

mysql_field_seek( $rs['rs'], 0 );

return "INSERT INTO ".$ tableName." ( ".$ strFields." ) VALUES ( ".$ strValue." )";

The last row into the database, resulting in the injected generation.

So this exploit, you'll need to us at the time of registration more than POST a member_id can be injected. exp just does not provide.

With one of our Safekey team of a figure, we can obscenity under other places, like Big C said, the injection is not less, the Big C before the death knock. shopex a period of time, phpbug on the death knock phpcms v9.

!

Solution: 升级官网补丁http://bbs.shopex.cn/read.php?tid-303282.html