### 简要描述: 开源网店系统Ecshop存在多处的SQL注射漏洞,成功利用可以获取网店权限 ### 详细说明: flow.php ``` elseif ($_REQUEST['step'] == 'update_cart') { if (isset($_POST['goods_number']) && is_array($_POST['goods_number'])) { flow_update_cart($_POST['goods_number']); } show_message($_LANG['update_cart_notice'], $_LANG['back_to_cart'], 'flow.php'); exit; } ``` ``` function flow_update_cart($arr) { /* 处理 */ foreach ($arr AS $key => $val) { $val = intval(make_semiangle($val)); if ($val <= 0 && !is_numeric($key)) { continue; } //查询: $sql = "SELECT `goods_id`, `goods_attr_id`, `product_id`, `extension_code` FROM" .$GLOBALS['ecs']->table('cart'). " WHERE rec_id='$key' AND session_id='" . SESS_ID . "'"; $goods = $GLOBALS['db']->getRow($sql); $sql = "SELECT g.goods_name, g.goods_number ". "FROM " .$GLOBALS['ecs']->table('goods'). " AS g, ". $GLOBALS['ecs']->table('cart'). " AS c ". "WHERE g.goods_id = c.goods_id AND c.rec_id = '$key'"; $row = $GLOBALS['db']->getRow($sql); //查询:系统启用了库存,检查输入的商品数量是否有效 if...
### 简要描述: 开源网店系统Ecshop存在多处的SQL注射漏洞,成功利用可以获取网店权限 ### 详细说明: flow.php ``` elseif ($_REQUEST['step'] == 'update_cart') { if (isset($_POST['goods_number']) && is_array($_POST['goods_number'])) { flow_update_cart($_POST['goods_number']); } show_message($_LANG['update_cart_notice'], $_LANG['back_to_cart'], 'flow.php'); exit; } ``` ``` function flow_update_cart($arr) { /* 处理 */ foreach ($arr AS $key => $val) { $val = intval(make_semiangle($val)); if ($val <= 0 && !is_numeric($key)) { continue; } //查询: $sql = "SELECT `goods_id`, `goods_attr_id`, `product_id`, `extension_code` FROM" .$GLOBALS['ecs']->table('cart'). " WHERE rec_id='$key' AND session_id='" . SESS_ID . "'"; $goods = $GLOBALS['db']->getRow($sql); $sql = "SELECT g.goods_name, g.goods_number ". "FROM " .$GLOBALS['ecs']->table('goods'). " AS g, ". $GLOBALS['ecs']->table('cart'). " AS c ". "WHERE g.goods_id = c.goods_id AND c.rec_id = '$key'"; $row = $GLOBALS['db']->getRow($sql); //查询:系统启用了库存,检查输入的商品数量是否有效 if (intval($GLOBALS['_CFG']['use_storage']) > 0 && $goods['extension_code'] != 'package_buy') { if ($row['goods_number'] < $val) { show_message(sprintf($GLOBALS['_LANG']['stock_insufficiency'], $row['goods_name'], $row['goods_number'], $row['goods_number'])); exit; } /* 是货品 */ $goods['product_id'] = trim($goods['product_id']); if (!empty($goods['product_id'])) { ``` 仅仅全局对数组的值有处理但是没有对key处理造成漏洞 ### 漏洞证明: [<img src="https://images.seebug.org/upload/201208/19164755b8744f4c961c90a35a8b605ce86b81b7.jpg" alt="" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201208/19164755b8744f4c961c90a35a8b605ce86b81b7.jpg)