PHPSHE电商程序SQL注入4

2013-12-25T00:00:00
ID SSV:94721
Type seebug
Reporter Root
Modified 2013-12-25T00:00:00

Description

简要描述:

PHPSHE电商程序SQL注入漏洞#4

详细说明:

在删除购物车商品时,参数未过滤直接带入sql语句执行,导致SQL注入。 在/module/index/order.php文件:

//#####################@ 购物车商品删除 @#####################// case 'cartdel': $money['order_productmoney'] = $money['order_wlmoney'] = $money['order_money'] = 0; if (pe_login('user')) { $result = $db->pe_delete('cart', array('user_id'=>$_s_user_id, 'product_id'=>$_g_product_id));//漏洞存在这里 } else { $cart_list = unserialize($_c_cart_list); unset($cart_list[$_g_product_id]); $result = is_array($cart_list[$_g_product_id]) ? false : true; setcookie('cart_list', serialize($cart_list), 0, '/'); } $cart_info = cart_info($cart_list); echo json_encode(array('result'=>$result, 'money'=>$cart_info['money'])); break;

Pe_delect函数/include/class/db.class.php如下:

public function pe_delete($table, $where = '') { //处理条件语句 $sqlwhere = $this->_dowhere($where); return $this->sql_delete("delete from `".dbpre."{$table}` {$sqlwhere}"); } protected function _dowhere($where) { if (is_array($where)) { foreach ($where as $k => $v) { if (is_array($v)) { $where_arr[] = "`{$k}` in('".implode("','", $v)."')"; } else { in_array($k, array('order by', 'group by')) ? ($sqlby = " {$k} {$v}") : ($where_arr[] = "`{$k}` = '{$v}'"); } } $sqlwhere = is_array($where_arr) ? 'where '.implode($where_arr, ' and ').$sqlby : $sqlby; } else { $where && $sqlwhere = (stripos(trim($where), 'order by') === 0 or stripos(trim($where), 'group by') === 0) ? "{$where}" : "where 1 {$where}"; } return $sqlwhere; } public function sql_delete($sql) { $this->query($sql); $result = mysql_affected_rows(); return $result > 0 ? $result : 0; }

参数$_g_product_id没有过滤直接进入delete语句中导致sql注入。

漏洞证明:

我们来删除购物车中的商品,在product_id参数处,加入错误的sql语句:

<img src="https://images.seebug.org/upload/201312/2422000467fd8a410c0388cf1d5917c178a73ae7.png" alt="3.png" width="600" onerror="javascript:errimg(this);">

我们的sql语句带入执行了,条件不成立,result返回为0,删除失败。

<img src="https://images.seebug.org/upload/201312/24220016948379039a3db2f05ec62bd2dd77556b.png" alt="4.png" width="600" onerror="javascript:errimg(this);">

输入正确的sql语句,条件成了,删除成功,然会为1.