当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-092924

漏洞标题:LebiShop商城系统最新版SQL注入五

相关厂商:www.lebi.cn

漏洞作者: xfkxfk

提交时间:2015-01-23 15:34

修复时间:2015-04-23 15:36

公开时间:2015-04-23 15:36

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-01-23: 细节已通知厂商并且等待厂商处理中
2015-01-26: 厂商已经确认,细节仅向厂商公开
2015-01-29: 细节向第三方安全合作伙伴开放
2015-03-22: 细节向核心白帽子及相关领域专家公开
2015-04-01: 细节向普通白帽子公开
2015-04-11: 细节向实习白帽子公开
2015-04-23: 细节向公众公开

简要描述:

LebiShop商城系统最新版SQL注入五

详细说明:

LebiShop商城系统最新版SQL注入一处
文件Shop.supplier.Ajax.Ajax_product

// Shop.supplier.Ajax.Ajax_product
public void Product_Batch_Price_Update()
{
	if (!base.Power("supplier_product_batch_price", "批量调价"))
	{
		base.AjaxNoPower();
		return;
	}
	string step = RequestTool.RequestString("step");
	string dateFrom = RequestTool.RequestString("dateFrom");
	string dateTo = RequestTool.RequestString("dateTo");
	string Pro_Type_id = RequestTool.RequestString("Pro_Type_id");
	int brand = RequestTool.RequestInt("brand", 0);
	int tag = RequestTool.RequestInt("tag", 0);
	int price_markettype = RequestTool.RequestInt("price_markettype", 0);
	int price_marketvalue = RequestTool.RequestInt("price_marketvalue", 0);
	int price_marketadd = RequestTool.RequestInt("price_marketadd", 0);
	int price_costtype = RequestTool.RequestInt("price_costtype", 0);
	int price_costvalue = RequestTool.RequestInt("price_costvalue", 0);
	int price_costadd = RequestTool.RequestInt("price_costadd", 0);
	int pricetype = RequestTool.RequestInt("pricetype", 0);
	int pricevalue = RequestTool.RequestInt("pricevalue", 0);
	int priceadd = RequestTool.RequestInt("priceadd", 0);
	int addtype = RequestTool.RequestInt("addtype", 0);
	int addvalue = RequestTool.RequestInt("addvalue", 0);
	int reducetype = RequestTool.RequestInt("reducetype", 0);
	int reducevalue = RequestTool.RequestInt("reducevalue", 0);
	string mes = "";
	string where = "1=1";
	if (dateFrom != "" && dateTo != "")
	{
		string text = where;
		where = string.Concat(new string[]
		{
			text,
			" and (datediff(d,Time_Add,'",
			dateFrom,
			"')<=0 and datediff(d,Time_Add,'",
			dateTo,
			"')>=0)"
		});
		string text2 = mes;
		mes = string.Concat(new string[]
		{
			text2,
			"上架日期",
			dateFrom,
			"-",
			dateTo,
			";"
		});
	}
	if (Pro_Type_id != "")
	{
		where = where + " and Pro_Type_id in (" + EX_Product.Categoryid(Pro_Type_id) + ")";
		mes = mes + "商品分类" + Pro_Type_id + ";";
	}


参数Pro_Type_id通过RequestTool.RequestString("Pro_Type_id")获取
在RequestTool.RequestString方法中只进行了单引号的转换

// Shop.Tools.RequestTool
public static string RequestString(string nKey, string def)
{
	string ojb = HttpContext.Current.Request.QueryString[nKey];
	if (ojb != null)
	{
		return StringTool.InjectFiltrate(ojb.Trim());
	}
	ojb = HttpContext.Current.Request.Form[nKey];
	if (ojb != null)
	{
		return StringTool.InjectFiltrate(ojb.Trim());
	}
	return def;
}
// Shop.Tools.StringTool
public static string InjectFiltrate(string str)
{
	if (!StringTool.IsSafeSqlString(str))
	{
		str = str.Replace("'", "&#180;");
	}
	return str;
}


然后Pro_Type_id进入了EX_Product.Categoryid方法,跟进

// Shop.Bussiness.EX_Product
public static string Categoryid(string id)
{
	string str = id.ToString();
	List<Lebi_Pro_Type> ts = B_Lebi_Pro_Type.GetList("Parentid=" + id + " and IsShow = 1", "Sort desc");
	foreach (Lebi_Pro_Type t in ts)
	{
		str = str + "," + EX_Product.Categoryid(string.Concat(t.id));
	}
	return str;
}


然后Pro_Type_id最后进入了B_Lebi_Pro_Type.GetList方法,且没有使用单引号保护

漏洞证明:

官方demo演示
报出当前数据库

http://plus.demo.lebi.cn/supplier/ajax/ajax_product.aspx?__Action=Product_Batch_Price_Update&url=/
Pro_Type_id=db_name()


1.png


报出servername,服务器主机名

2.png


sqlmap即可跑出数据

修复方案:

使用RequestTool.RequestInt或者添加单引号保护变量

版权声明:转载请注明来源 xfkxfk@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-01-26 15:10

厂商回复:

已统一修复SQL漏洞,感谢

最新状态:

暂无

漏洞评价:

评论