\xeb\xfe's Blog.

ecshop SQL注射漏洞-2010.8.21

wooyun-1000php
2017/12/07

简要描述

在Ecshop中缺乏对参数的有效过滤,导致一个SQL注射漏洞,成功利用该漏洞的攻击者可以获得数据库及站点的完全权限。

漏洞代码函数(include_libcommon.php)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
function get_package_info($id)
{
    global $ecs, $db,$_CFG;
    $now = gmtime();
    $sql = "SELECT act_id AS id,  act_name AS package_name, goods_id , goods_name, start_time, end_time, act_desc, ext_info".
           " FROM " . $GLOBALS['ecs']->table('goods_activity') ." WHERE act_id='$id' AND act_type = " . GAT_PACKAGE;
    $package = $db->GetRow($sql);
    /* 将时间转成可阅读格式 */
    if ($package['start_time'] <= $now && $package['end_time'] >= $now)
    {
        $package['is_on_sale'] = "1";
    }else{
        $package['is_on_sale'] = "0";
    }
	$package['start_time'] = local_date('Y-m-d H:i', $package['start_time']);
    $package['end_time']   = local_date('Y-m-d H:i', $package['end_time']);
    $row = unserialize($package['ext_info']);
    unset($package['ext_info']);
    if ($row)
    {
        foreach ($row as $key=>$val)
        {
            $package[$key] = $val;
        }

    }
    $sql = "SELECT pg.package_id, pg.goods_id, pg.goods_number, pg.admin_id, ".
           " g.goods_sn, g.goods_name, g.market_price, g.goods_thumb, g.is_real, ".
           " IFNULL(mp.user_price, g.shop_price * '$_SESSION[discount]') AS rank_price " .
           " FROM " . $GLOBALS['ecs']->table('package_goods') . " AS pg ".
           "   LEFT JOIN ". $GLOBALS['ecs']->table('goods') . " AS g "."   ON g.goods_id = pg.goods_id ".
           " LEFT JOIN " . $GLOBALS['ecs']->table('member_price') . " AS mp "."ON mp.goods_id = g.goods_id AND mp.user_rank = '$_SESSION[user_rank]' "." WHERE pg.package_id = " . $id. " "." ORDER BY pg.package_id, pg.goods_id";

    $goods_res = $GLOBALS['db']->getAll($sql);
    $market_price = 0;

第六行代码中,$id没有经过严格过滤就直接进入了SQL查询,导致一个SQL注射漏洞。

漏洞函数调用处(lib_order.php)

1
2
3
4
5
6
7
8
9
10
function add_package_to_cart($package_id, $num = 1)
{
    $GLOBALS['err']->clean();
    /* 取得礼包信息 */
    $package = get_package_info($package_id);
    if (empty($package))
    {
        $GLOBALS['err']->add($GLOBALS['_LANG']['goods_not_exists'], ERR_NOT_EXISTS);
        return false;
    }

在系统的lib_order.php中存在一个该函数的调用(第五行)

漏洞代码函数参数可控点(flow.php)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$package = $json->decode($_POST['package_info']);
    /* 如果是一步购物,先清空购物车 */
    if ($_CFG['one_step_buy'] == '1')
    {
        clear_cart();
    }
    /* 商品数量是否合法 */
    if (!is_numeric($package->number) || intval($package->number) <= 0)
    {
        $result['error']   = 1;
        $result['message'] = $_LANG['invalid_number'];
    }
    else
    {
        /* 添加到购物车 */
        if (add_package_to_cart($package->package_id, $package->number))
        {
            if ($_CFG['cart_confirm'] > 2)

$package->package_id来源于输入,接收用户post过来的package_info(json数据),然后进行json decode,保存到变量$package中。

漏洞修复方案:

对用户post过来的数据进行过滤,这里可以直接对package_id进行整数化。

原文链接:ecshop SQL注射漏洞-2010.8.21

CATALOG
  1. 1. 简要描述
  2. 2. 漏洞代码函数(include_libcommon.php)
  3. 3. 漏洞函数调用处(lib_order.php)
  4. 4. 漏洞代码函数参数可控点(flow.php)
  5. 5. 漏洞修复方案:
archive tags
目前才写: 23 篇博文,好好努力吧,骚年。
2017
漏洞评估 小试牛刀 web渗透-文件上传 wooyun-1000php 脑图