当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-046319

漏洞标题:易想团购开源版#sql注入01

相关厂商:易想团购系统

漏洞作者: m1x7e1

提交时间:2013-12-18 11:48

修复时间:2014-03-18 11:49

公开时间:2014-03-18 11:49

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:14

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-12-18: 积极联系厂商并且等待厂商认领中,细节不对外公开
2014-03-18: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

易想团购#sql注入

详细说明:

http://127.0.0.1/easethink/message.php?act=

if($_REQUEST['act'] == 'add')
{
if(!$user_info)
{
showErr($GLOBALS['lang']['PLEASE_LOGIN_FIRST']);
}
if($_REQUEST['content']=='')
{
showErr($GLOBALS['lang']['MESSAGE_CONTENT_EMPTY']);
}
if(!check_ipop_limit(get_client_ip(),"message",intval(app_conf("SUBMIT_DELAY")),0))
{
showErr($GLOBALS['lang']['MESSAGE_SUBMIT_FAST']);
}

$rel_table = $_REQUEST['rel_table'];
$message_type = $GLOBALS['db']->getRowCached("select * from ".DB_PREFIX."message_type where type_name='".$rel_table."'");
if(!$message_type)
{
showErr($GLOBALS['lang']['INVALID_MESSAGE_TYPE']);
}

$message_group = $_REQUEST['message_group'];
//添加留言
$message['title'] = htmlspecialchars(addslashes($_REQUEST['content']));
$message['content'] = htmlspecialchars(addslashes($_REQUEST['content']));
if($message_group)
{
$message['title']="[".$message_group."]:".$message['title'];
$message['content']="[".$message_group."]:".$message['content'];
}

$message['create_time'] = get_gmtime();
$message['rel_table'] = $rel_table;
$message['rel_id'] = $_REQUEST['rel_id'];
$message['user_id'] = intval($GLOBALS['user_info']['id']);
$message['city_id'] = $deal_city['id'];
if(app_conf("USER_MESSAGE_AUTO_EFFECT")==0)
{
$message_effect = 0;
}
else
{
$message_effect = $message_type['is_effect'];
}
$message['is_effect'] = $message_effect;

$GLOBALS['db']->autoExecute(DB_PREFIX."message",$message);
showSuccess($GLOBALS['lang']['MESSAGE_POST_SUCCESS']);

}
else
{
$rel_table = $_REQUEST['act'];
$message_type = $GLOBALS['db']->getRowCached("select * from ".DB_PREFIX."message_type where type_name='".$rel_table."'");


参数act 未做过滤导致直接带入数据库查询。导致注入。

easethinksql.jpg


漏洞证明:

easethinksql.jpg

修复方案:

过滤

版权声明:转载请注明来源 m1x7e1@乌云


漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝


漏洞评价:

评论