[PHP知识库]『PHP代码审计』SEMCMS外贸网站商城系统SCSHOP_v1.2存在SQL注入漏洞

前言

作者：Ho1aAs

博客：https://blog.csdn.net/xxy605

一、漏洞演示

进入后台-博客管理-任意选中、删除一项，抓包

POST /wgNecC_AQV/Ant_Inc.php?action=Clear&sort=info&lgid=1 HTTP/1.1
Host: testcms.com
Content-Length: 12
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://testcms.com
Referer: http://testcms.com/wgNecC_AQV/Ant_Info.php?type=B
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: Hm_lvt_e2ecc5a8268ea1a4c9862ec7b4ee5b11=1620953819,1620955324,1620955893,1620958111; XDEBUG_SESSION=PHPSTORM; PHPSESSID=l0g9gvv6dcr9q2q2iod65fs2k7; PHPSESSID=l0g9gvv6dcr9q2q2iod65fs2k7
Connection: close

DID%5B%5D=17

POST参数DID[]存在注入

二、漏洞分析

访问Ant_Inc.php，它包含了Ant_Resonse.php

include_once 'Ant_Function.php';
include_once 'Ant_Config.php';
include_once 'Ant_Response.php';

访问Ant_Resonse.php，删除调用了以下函数

elseif($action=="Clear"){//删除

	if ($table=="sc_categories") { // 产品分类

	    if (($Ant->AntDelCat($table,$sortID,$db_conn))===true){ //分类通过路径删除所有相关的目录
			echo "删除成功";
	    }else{
	    	echo "删除失败";
	    }
	    #code.... 相关产品也要进行操作

	}elseif($table=="sc_products" || $table=="sc_info" || $table=="sc_country" || $table=="sc_express" || $table=="sc_delivery" || $table=="sc_currency" || $table=="sc_pay"  || $table=="sc_coupon" || $table=="sc_banner" || $table=="sc_menu" || $table=="sc_link" || $table=="sc_download" || $table=="sc_email" || $table=="sc_mailtemplate" || $table=="sc_mulu" || $table=="sc_user" || $table=="sc_language" || $table=="sc_order"|| $table=="sc_member" ||  $table=="sc_address" || $table=="sc_msg"){ //产品删除

 	    if(empty($DID)){

 	    	echo 'err';

 	    }else{
 	    	$sortID=implode(",",$DID);

		    	if ($table=="sc_delivery"){ //删除国家区域对应的配送方式ID
			    	$exid=@$_GET['exid'];
			    	$CountryID=RecountryID($sortID,$db_conn);
			    	$db_conn->query("UPDATE sc_country SET expressid=replace(expressid,',$exid,',',') where ID in($CountryID)"); 
		    	}

		    if (($Ant->AntDel($table,$sortID,$db_conn))===true){
				echo "删除成功";
		    }else{
		    	echo "删除失败";
		    }			
      }
	}else{
		 
	    if (($Ant->AntDelother($table,$sortID,$db_conn))===true){
			echo "删除成功";
	    }else{
	    	echo "删除失败";
	    }		
	}

重点在于$Ant->AntDel($table,$sortID,$db_conn),追一下函数在Ant_Class.php

public function AntDel($table,$id,$db){// 删          
            if($db->query("DELETE FROM  $table WHERE ID in ($id)")){
                  return true;
                }else{
                  return false;
                }
            }

直接拼接删除，没有任何过滤，因此造成注入漏洞

三、利用

无过滤布尔盲注、时间盲注

完