Foreword
Recently looked under tpshop, tasteless audit a few loopholes, this SQL injection vulnerability is one of them. Then complete audit online search, I found a bunch of background sql injection vulnerability, you should feel the background do not repair SQL pair of (my personal is understandable).
Vulnerability trigger point
We must first log in the background, the reason I say this is very sad to vulnerabilities.
Vulnerability is located in the background of the mall - "Article - Search> list of articles at the 
capture parameters vulnerability exists keywords, when the input payload ' or length(database())=10)#, the page returns 0 messages,
When the input payload ' or length(database())=9)#, the page returns a total of 33 articles (33 in total, the database name is tpshop2.0)
So you may be obtained by injecting a Boolean database information, of course, the delay may be, but I was not able to delay would not delay people.
Causes of vulnerability, Analysis Code
Analysis of the code, the reason is very simple, where the direct splicing. And it will return to the query to the results page.application/admin/controller/Article.php:56
$keywords = trim(I('keywords'));
$keywords && $where.=" and title like '%$keywords%' ";
$cat_id = I('cat_id',0);
$cat_id && $where.=" and cat_id = $cat_id ";
$res = $Article->where($where)->order('article_id desc')->page("$p,$size")->select();
$count = $Article->where($where)->count();// 查询满足要求的总记录数
$pager = new Page($count,$size);// 实例化分页类 传入总记录数和每页显示的记录数
//$page = $pager->show();//分页显示输出
$ArticleCat = new ArticleCatLogic();
$cats = $ArticleCat->article_cat_list(0,0,false);
if($res){
foreach ($res as $val){
$val['category'] = $cats[$val['cat_id']]['cat_name'];
$val['add_time'] = date('Y-m-d H:i:s',$val['add_time']);
$list[] = $val;
}
}
$this->assign('cats',$cats);
$this->assign('cat_id',$cat_id);
$this->assign('list',$list);// 赋值数据集
$this->assign('pager',$pager);// 赋值分页输出
return $this->fetch('articleList');Finally sql statement would be:
other
I use = when using the payload, because the input filter to do, it will escape> <with a greater than sign can not be executed sql directly, will complain.