Shulou(Shulou.com)06/01 Report--

Preface

Recently I took a look at tpshop and audited several chicken rib vulnerabilities, and this SQL injection vulnerability is one of them. Then after the audit, I searched the Internet and found that there are a lot of sql injection loopholes in the background. I should think that the SQL in the background does not need to fix the horn (I personally understand).

Vulnerability trigger point

First of all, you have to log in backstage, which is why I say that the loophole is very chicken.

The vulnerability lies in the search in the "article-> article list" of the mall in the background.

Grab the packet. The parameter with vulnerabilities is keywords. When you enter payload,

When'or length (database ()) = 10) #, the page returns 0 articles

When you enter payload' or length (database ()) = 9) #, the page returns a total of 33 articles (a total of 33, the database name is tpshop2.0)

So you can get the database information through Boolean injection, and of course you can delay it, but I'm the one who can get it without delay.

The cause of the vulnerability, analyze the code

Analysis of the code, the reason is very simple, where spliced directly. And the results of the query are returned to the page.

Application/admin/controller/Article.php:56

$keywords = trim (I ('keywords')); $keywords & & $where.= "and title like'% $keywords%'"; $cat_id = I ('cat_id',0); $cat_id & & $where.= "and cat_id = $cat_id"; $res = $Article- > where ($where)-> order (' article_id desc')-> page-> select (); $count = $Article- > where ($where)-> count () / / the total number of records that meet the requirements of the query $pager = new Page ($count,$size); / / the total number of records instantiated in the paging class and the number of records displayed per page / / $page = $pager- > show (); / / the output of the paging display $ArticleCat = new ArticleCatLogic (); $cats = $ArticleCat- > article_cat_list (0Preline false) If ($res) {foreach ($res as $val) {$val ['category'] = $cats [$val [' cat_id']] ['cat_name']; $val [' add_time'] = date ('Y-m-d Hizug)); $list [] = $val;}} $this- > assign (' cats',$cats) $this- > assign ('cat_id',$cat_id); $this- > assign (' list',$list); / / assign dataset $this- > assign ('pager',$pager); / / assign paging output return $this- > fetch (' articleList')

The final sql statement executed is:

Other

I use = when I use payload because the input is filtered and escaped >

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.