### 简要描述: ECSHOP 后台注入漏洞 ### 详细说明: ``` admin/affiliate_ck.php if ($_REQUEST['act'] == 'list') { $logdb = get_affiliate_ck(); $smarty->assign('full_page', 1); $smarty->assign('ur_here', $_LANG['affiliate_ck']); $smarty->assign('on', $separate_on); function get_affiliate_ck() { $affiliate = unserialize($GLOBALS['_CFG']['affiliate']); empty($affiliate) && $affiliate = array(); $separate_by = $affiliate['config']['separate_by']; $sqladd = ''; if (isset($_REQUEST['status'])) { $sqladd = ' AND o.is_separate = ' . (int)$_REQUEST['status']; $filter['status'] = (int)$_REQUEST['status']; } if (isset($_REQUEST['order_sn'])) { $sqladd = ' AND o.order_sn LIKE \'%' . trim($_REQUEST['order_sn']) . '%\''; $filter['order_sn'] = $_REQUEST['order_sn']; } if (isset($_GET['auid'])) { ``` 漏洞2: ``` admin/agency.php if ($_REQUEST['act'] == 'list') { $smarty->assign('ur_here', $_LANG['agency_list']); $smarty->assign('action_link', array('text' => $_LANG['add_agency'], 'href' => 'agency.php?act=add'));...
### 简要描述: ECSHOP 后台注入漏洞 ### 详细说明: ``` admin/affiliate_ck.php if ($_REQUEST['act'] == 'list') { $logdb = get_affiliate_ck(); $smarty->assign('full_page', 1); $smarty->assign('ur_here', $_LANG['affiliate_ck']); $smarty->assign('on', $separate_on); function get_affiliate_ck() { $affiliate = unserialize($GLOBALS['_CFG']['affiliate']); empty($affiliate) && $affiliate = array(); $separate_by = $affiliate['config']['separate_by']; $sqladd = ''; if (isset($_REQUEST['status'])) { $sqladd = ' AND o.is_separate = ' . (int)$_REQUEST['status']; $filter['status'] = (int)$_REQUEST['status']; } if (isset($_REQUEST['order_sn'])) { $sqladd = ' AND o.order_sn LIKE \'%' . trim($_REQUEST['order_sn']) . '%\''; $filter['order_sn'] = $_REQUEST['order_sn']; } if (isset($_GET['auid'])) { ``` 漏洞2: ``` admin/agency.php if ($_REQUEST['act'] == 'list') { $smarty->assign('ur_here', $_LANG['agency_list']); $smarty->assign('action_link', array('text' => $_LANG['add_agency'], 'href' => 'agency.php?act=add')); $smarty->assign('full_page', 1); $agency_list = get_agencylist(); $smarty->assign('agency_list', $agency_list['agency']); $smarty->assign('filter', $agency_list['filter']); $smarty->assign('record_count', $agency_list['record_count']); $smarty->assign('page_count', $agency_list['page_count']); function get_agencylist() { $result = get_filter(); if ($result === false) { /* 初始化分页参数 */ $filter = array(); $filter['sort_by'] = empty($_REQUEST['sort_by']) ? 'agency_id' : trim($_REQUEST['sort_by']);//这俩个参数都可以注入 $filter['sort_order'] = empty($_REQUEST['sort_order']) ? 'DESC' : trim($_REQUEST['sort_order']); /* 查询记录总数,计算分页数 */ $sql = "SELECT COUNT(*) FROM " . $GLOBALS['ecs']->table('agency'); $filter['record_count'] = $GLOBALS['db']->getOne($sql); $filter = page_and_size($filter); /* 查询记录 */ $sql = "SELECT * FROM " . $GLOBALS['ecs']->table('agency') . " ORDER BY $filter[sort_by] $filter[sort_order]"; set_filter($filter, $sql); } else { $sql = $result ``` ### 漏洞证明: 测试方法 127.0.0.1/ec/admin/affiliate_ck.php?act=list&auid=1' [<img src="https://images.seebug.org/upload/201312/19172117f41089d1f3f9133f4245270c30be4163.jpg" alt="_20131219171825.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201312/19172117f41089d1f3f9133f4245270c30be4163.jpg) 测试方法 127.0.0.1/ec/admin/agency.php?act=list POST 提交sort_by=111111' [<img src="https://images.seebug.org/upload/201312/19172935fb0721769603285fa70f9b0525eb37ad.jpg" alt="_20131219172736.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201312/19172935fb0721769603285fa70f9b0525eb37ad.jpg)