New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
修复SQL注入漏洞 #237
修复SQL注入漏洞 #237
Conversation
|
怪不得前两天被注入了一个管理员账号,偷偷更改了当面付密钥,略有损失 |
|
请其他用户检查自己的t_admin_user和t_admin_login_log表 |
|
无法复现 |
已成功复现。 |
大佬求个exp |
|
攻击演示 请看截图 攻击演示 |
漏洞修复了,可否发个exp或者日志学习一下呢 |
目前刚发布补丁,影响较大。考虑晚点会发布。 |
有相关日志可以提供研究一下吗 |
|
zfaka真良心软件,赞赞赞 |
|
升级完之后,支付宝收款报错! |
出现此问题与本次修复没有任何关联。如果真的确定和本次修复有关,那么建议你取消修复后再试。 |
|
出现问题的不止我一个,支付宝5次支付有2次能弹出来二维码3次报错,好多站都出现这种问题,应该不是我VPS的问题,并且我也升级了CURL还是不行,联系了支付宝也不是支付宝的问题。估计也是个大面积出现的问题。经过测试发现应该是网络问题。电信的163 |
|
In zfaka version 1.4.3, application / modules / product / admin / Controllers / product / imgurlajax php involed a SQL injection Vuln Found the following paragraph PDO is the default configuration, and stack injection is immediately thought of After testing, the OrderID user is controllable. The global search for OrderID shows that OrderID is processed into a pure string by the function method, and there is no room for injection, so we choose another way It is found that the IP parameters are also controllable by the user, and no processing is done before calling the select method. The IP parameter calls the getclientip method. Let's follow the getclientip method It is easy to understand that it is to obtain the client IP from the common HTTP header However, I am very glad that the IP parameters are not processed. We can implement Stack Injection by constructing XFF header Because of CSRF_ For the verification of token, we must arbitrarily enter an order number on the order query page, and then enter the correct verification code, and then the query is valid Then, the XFF header is manually constructed for Stack Injection for PDO Because the PDO is closed with double quotation marks and belongs to stack injection without echo Therefore, the payload structure is X-FORWARDED-For:1'; select sleep(5)#The injection was successful after a delay of 5S. For this stack injection without echo, blind injection is too slow, and it is too slow to use dnslog OOB, so we choose to construct an insert statement to add a background administrator Using prepare statement Successfully added a background account with user name test@test.test , password 123456 |




修复未经验证的IP地址导致的SQL注入漏洞