SHOPEX Exposure SQL injection site "Drag library" threat

Intermediary transaction http://www.aliyun.com/zixun/aggregation/6858.html ">seo diagnose Taobao guest cloud host technology Hall

Recently, clouds leak platform to say ShopEx4.8.5 version of the existence of SQL Injection Vulnerability (http://www.wooyun.org/bugs/wooyun-2010-08597), hackers use this vulnerability can obtain webmaster password, and then control Web server, Steal user account password (also known as "Drag Library"). 360 Web site security detection platform found that the vast majority of Shopex site users have this loophole, mainly for E-commerce category shop.

360 Website Security Inspection Platform Service website: http://webscan.360.cn

Shopex is the highest market share of the shop software, a number of well-known shopping malls, distribution sites, as well as brand mall are using Shopex to build stations and management. SQL injection is the most common site high-risk vulnerabilities, before CSDN and other web site leaks are mostly related to SQL injection vulnerabilities. Hackers use Shopex vulnerabilities to obtain the Administrator MD5 password, can be collision to get the original password, crack success rate is generally more than 95%.

360 Web site security detection platform analysis, the core function that leads to shopexsql injection vulnerability is: coremodel_v5tradingmdl.goods.php (Figure 1)

Figure 1: Core functions that cause SQL injection vulnerabilities in Shopex

Figure 2: The function is called

(Figure 2) The functions in the coreshopcontrollerctl.product.php file are called.

Because the vulnerability affects a large number of users, and the site is more harmful, so the 360 security detection platform in the first time to its users sent a warning message, and recommended that all use Shopex users to download the installation of the official immediately provided by the patch to repair, and regularly use 360 security testing services at any time to control the

Shopex official Patch Download Address: http://bbs.shopex.cn/read.php?tid-269636.html

About 360 website security Inspection Platform (service URL: http://webscan.360.cn)

360 Site security Testing platform is the first set of Web site vulnerability detection, website hanging horse monitoring, web site tampering monitoring in one of the free testing platform, with a comprehensive web site vulnerabilities and honeypot cluster detection system, can be the first time to assist the site detection repair loopholes. 2011, 360 site Security monitoring platform has collaborated with 360 group buying navigation, for the domestic hundreds of mainstream group buying website provides free website flaw detection service and provides the repair suggestion, enhances the group buying website overall security level.