iwebshop Blind injection

漏洞文件\controllers\seller.php

public function goods_del()
        {
                //post数据
            $id = IFilter::act(IReq::get('id'));
 
            //生成goods对象
            $goods = new goods_class();
            $goods->seller_id = $this->seller['seller_id'];
 
            if($id)
                {
                        if(is_array($id))
                        {
                                foreach($id as $key => $val)
                                {
                                        $goods->del($val);
                                }
                        }
                        else
                        {
                                $goods->del($id);
                        }
                }
                $this->redirect("goods_list");
        }

还是一样的获取方式,跟入del看下

public function del($goods_id)
{
        $goodsWhere = " id = {$goods_id} ";
        if($this->seller_id)
        {
                $goodsWhere .= " and seller_id = ".$this->seller_id;
        }
        //删除商品表
        $tb_goods = new IModel('goods');
        if(!$tb_goods ->del($goodsWhere))
        {
                return;
        }
}

继续跟入

public function del($where)
{
        $where = (strtolower($where) == 'all') ? '' : ' WHERE '.$where;
        $sql   = 'DELETE FROM '.$this->tableName.$where;
        echo $sql;
        return $this->db->query($sql);
}

还是一样的漏洞原因,直接贴图
0

1

2

3

payload还是一弹的那个商铺可以权限可以采用爆破的方式或者通过xss

发表评论