ecshop sql(需配合任意文件下载才能完美发挥)漏洞

漏洞文件:api.php

function search_goods_list()
{
    //check_auth();   //检查基本权限
    $version = '1.0';   //版本号
 
 
    if ($_POST['api_version'] != $version)      //网店的接口版本低
    {
        api_err('0x008', 'a low version api');
    }
    if (is_numeric($_POST['last_modify_st_time']) && is_numeric($_POST['last_modify_en_time']))
    {
        $sql = 'SELECT COUNT(*) AS count' .
               ' FROM ' . $GLOBALS['ecs']->table('goods') .
               " WHERE is_delete = 0 AND is_on_sale = 1 AND (last_update > '" . $_POST['last_modify_st_time'] . "' OR last_update = 0)";
        $date_count = $GLOBALS['db']->getRow($sql);
 
 
        if (empty($date_count))
        {
            api_err('0x003', 'no data to back');    //无符合条件数据
        }
        $page = empty($_POST['pages']) ? 1 : $_POST['pages'];       //确定读取哪些记录
        $counts = empty($_POST['counts']) ? 100 : $_POST['counts'];
 
 
        $sql = 'SELECT goods_id, last_update AS last_modify' .
               ' FROM ' . $GLOBALS['ecs']->table('goods') .
               " WHERE is_delete = 0 AND is_on_sale = 1 AND (last_update > '" . $_POST['last_modify_st_time'] . "' OR last_update = 0)".
               " LIMIT ".($page - 1) * $counts . ', ' . $counts;
               echo $sql;
        $date_arr = $GLOBALS['db']->getAll($sql);
 
 
        if (!empty($_POST['columns']))
        {
            $column_arr = explode('|', $_POST['columns']);
            foreach ($date_arr as $k => $v)
            {
                foreach ($v as $key => $val)
                {
                    if (in_array($key, $column_arr))
                    {
                        $re_arr['data_info'][$k][$key] = $val;
                    }
                }
            }
        }
        else
        {
            $re_arr['data_info'] = $date_arr;
        }
 
 
        /* 处理更新时间等于0的数据 */
        $sql = 'UPDATE ' . $GLOBALS['ecs']->table('goods') .
               " SET last_update = 1 WHERE is_delete = 0 AND is_on_sale = 1 AND last_update = 0";
        $GLOBALS['db']->query($sql, 'SILENT');
 
 
        $re_arr['counts'] = $date_count['count'];
        data_back($re_arr, '', RETURN_TYPE);  //返回数据
    }
    else
    {
        api_err('0x003', 'required date invalid');   //请求数据异常
    }
}

这里的漏洞函数不止这么一个,只是为了方便描述拿出一个,前面的获取都是众所周知的,不过第二行有一个证书验证函数check_auth(),因没有证书所不知道到底是否可逆。为了方便尝试我们把验证函数给注释掉,后面的if判断我们都可以轻松的跳过,然而漏洞点是在

$sql = 'SELECT goods_id, last_update AS last_modify' .
               ' FROM ' . $GLOBALS['ecs']->table('goods') .
               " WHERE is_delete = 0 AND is_on_sale = 1 AND (last_update > '" . $_POST['last_modify_st_time'] . "' OR last_update = 0)".
               " LIMIT ".($page - 1) * $counts . ', ' . $counts;

我们在之前的代码中可以清楚的看见pages与counts两个变量是可控的,但在进入数据库的时候这两个变量都没安全操作,而这里的Page变量进行了整数型操作故无法做为注入点,但我们counts变量是完全为我们所控的,尽管有全局转义但我们依旧可利用
sql1

sql2

2 条评论

  1. 你们网站上了cdn 我不挂代理访问不了啊

    1. 没穿底裤
      @啊

      你是什么地方IP?什么的网络服务商?

发表评论