|ECSHOP手机订单程序漏洞能获取大量用户信息

ECSHOP手机订单程序漏洞能获取大量用户信息

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述： ECSHOP手机订单获取有漏洞，导致客户订单资料外泄 ### 详细说明： ``` elseif ($act == 'order_list') { $record_count = $db->getOne("SELECT COUNT(*) FROM " .$ecs->table('order_info'). " WHERE user_id = {$_SESSION['user_id']}"); if ($record_count > 0) { include_once(ROOT_PATH . 'includes/lib_transaction.php'); $page_num = '10'; $page = !empty($_GET['page']) ? intval($_GET['page']) : 1; $pages = ceil($record_count / $page_num); if ($page <= 0) { $page = 1; } if ($pages == 0) { $pages = 1; } if ($page > $pages) { $page = $pages; } $pagebar = get_wap_pager($record_count, $page_num, $page, 'user.php?act=order_list', 'page'); $smarty->assign('pagebar' , $pagebar); /* 订单状态 */ $_LANG['os'][OS_UNCONFIRMED] = '未确认'; $_LANG['os'][OS_CONFIRMED] = '已确认'; $_LANG['os'][OS_SPLITED] = '已确认'; $_LANG['os'][OS_SPLITING_PART] = '已确认'; $_LANG['os'][OS_CANCELED] = '已取消'; $_LANG['os'][OS_INVALID] = '无效'; $_LANG['os'][OS_RETURNED] = '退货'; $_LANG['ss'][SS_UNSHIPPED] = '未发货'; $_LANG['ss'][SS_PREPARING] = '配货中'; $_LANG['ss'][SS_SHIPPED] = '已发货'; $_LANG['ss'][SS_RECEIVED] = '收货确认'; $_LANG['ss'][SS_SHIPPED_PART] = '已发货(部分商品)'; $_LANG['ss'][SS_SHIPPED_ING] = '配货中'; // 已分单 $_LANG['ps'][PS_UNPAYED] = '未付款'; $_LANG['ps'][PS_PAYING] = '付款中'; $_LANG['ps'][PS_PAYED] = '已付款'; $_LANG['cancel'] = '取消订单'; $_LANG['pay_money'] = '付款'; $_LANG['view_order'] = '查看订单'; $_LANG['received'] = '确认收货'; $_LANG['ss_received'] = '已完成'; $_LANG['confirm_received'] = '你确认已经收到货物了吗？'; $_LANG['confirm_cancel'] = '您确认要取消该订单吗？取消后此订单将视为无效订单'; $orders = get_user_orders($_SESSION['user_id'], $page_num, $page_num * ($page - 1)); if (!empty($orders)) { foreach ($orders as $key => $val) { $orders[$key]['total_fee'] = encode_output($val['total_fee']); } } //$merge = get_user_merge($_SESSION['user_id']); $smarty->assign('orders', $orders); } $smarty->assign('footer', get_footer()); $smarty->display('order_list.html'); exit; } ``` 没有对访问这个页面的用户进行过滤，直接可以输出所有查询出来的值甚至可以对订单进行操作 ### 漏洞证明： ``` elseif ($act == 'order_list') { $record_count = $db->getOne("SELECT COUNT(*) FROM " .$ecs->table('order_info'). " WHERE user_id = {$_SESSION['user_id']}"); if ($record_count > 0) { include_once(ROOT_PATH . 'includes/lib_transaction.php'); $page_num = '10'; $page = !empty($_GET['page']) ? intval($_GET['page']) : 1; $pages = ceil($record_count / $page_num); if ($page <= 0) { $page = 1; } if ($pages == 0) { $pages = 1; } if ($page > $pages) { $page = $pages; } $pagebar = get_wap_pager($record_count, $page_num, $page, 'user.php?act=order_list', 'page'); $smarty->assign('pagebar' , $pagebar); /* 订单状态 */ $_LANG['os'][OS_UNCONFIRMED] = '未确认'; $_LANG['os'][OS_CONFIRMED] = '已确认'; $_LANG['os'][OS_SPLITED] = '已确认'; $_LANG['os'][OS_SPLITING_PART] = '已确认'; $_LANG['os'][OS_CANCELED] = '已取消'; $_LANG['os'][OS_INVALID] = '无效'; $_LANG['os'][OS_RETURNED] = '退货'; $_LANG['ss'][SS_UNSHIPPED] = '未发货'; $_LANG['ss'][SS_PREPARING] = '配货中'; $_LANG['ss'][SS_SHIPPED] = '已发货'; $_LANG['ss'][SS_RECEIVED] = '收货确认'; $_LANG['ss'][SS_SHIPPED_PART] = '已发货(部分商品)'; $_LANG['ss'][SS_SHIPPED_ING] = '配货中'; // 已分单 $_LANG['ps'][PS_UNPAYED] = '未付款'; $_LANG['ps'][PS_PAYING] = '付款中'; $_LANG['ps'][PS_PAYED] = '已付款'; $_LANG['cancel'] = '取消订单'; $_LANG['pay_money'] = '付款'; $_LANG['view_order'] = '查看订单'; $_LANG['received'] = '确认收货'; $_LANG['ss_received'] = '已完成'; $_LANG['confirm_received'] = '你确认已经收到货物了吗？'; $_LANG['confirm_cancel'] = '您确认要取消该订单吗？取消后此订单将视为无效订单'; $orders = get_user_orders($_SESSION['user_id'], $page_num, $page_num * ($page - 1)); if (!empty($orders)) { foreach ($orders as $key => $val) { $orders[$key]['total_fee'] = encode_output($val['total_fee']); } } //$merge = get_user_merge($_SESSION['user_id']); $smarty->assign('orders', $orders); } $smarty->assign('footer', get_footer()); $smarty->display('order_list.html'); exit; } ``` 去百度搜索powered by ecshop 所有开通手机网站的ecshop商城域名后加mobile/user.php?act=order_list 即可访问所有匿名购买者的订单，并可对其订单进行操作 [<img src="https://images.seebug.org/upload/201401/1817455717aaf5949592d46b76e5c7ff4616184a.jpg" alt="_20140118174535.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201401/1817455717aaf5949592d46b76e5c7ff4616184a.jpg)

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™