Iwebshow.7.7 0day and repair

The vulnerability lies in the root directory of auction_list.php, row 77th-row 86:

/* Browsing records */
$ Getcookie = get_hisgoods_cookie ();
$ Goodshistory = array ();
If ($ getcookie ){
Arsort ($ getcookie );
$ Getcookie = array_keys ($ getcookie );
$ Gethisgoodsid = implode (",", array_slice ($ getcookie, 0, 4 ));
$ SQL = "select is_set_image, goods_id, goods_name, goods_thumb, goods_price from $ t_goods where goods_id in ($ gethisgoodsid )";
$ Goodshistory = $ dbo-> getRs ($ SQL );
}

$ Gethisgoodsid: this parameter is included in the query without filtering. It is obtained by $ getcookie. Follow the variable $ getcookie. That is, the get_hisgoods_cookie () function.

In foundation/fcookie. php:

Function get_hisgoods_cookie (){
Return get_cookie ("hisgoods ");
}

The same is for foundation/fcookie. php:

Function get_cookie ($ k ){
Lobal $ session_prefix;
If (isset ($ _ COOKIE [$ session_prefix. $ k]) return $ _ COOKIE [$ session_prefix. $ k];
Return null;
}

The variable is obtained in the COOKIE. This vulnerability is generated.

Test method:

First, you can view a product at will, and then access http: // localhost/auction_list.php. when using the cookies browser, you will find a project similar to "iweb_hisgoods [22 (This number is the id of the item you visited)] = 1282282762. first, add a single quotation mark after "22" to make it violent and wrong to get the data table prefix. then change "22" to "22) and 1% 3D2 union select 1, admin_password, admin_name, from ishop_admin_user --" (ishop _ is the prefix you just obtained, "--" must be followed by a space ). visit http: // localhost/auction_list.php and check the latest viewing in the lower right corner to obtain the Administrator account and password.

Solution:

Filter $ gethisgoodsid.