漏洞概要
缺陷编号: WooYun-2010-00248
漏洞标题: ecshop SQL注射漏洞
相关厂商: ecshop
漏洞作者: xsser
提交时间: 2010-08-21
公开时间: 2010-08-21
漏洞类型: SQL注射
危害等级: 高
漏洞状态: 未联系到厂商或者厂商积极忽略
________________________________________
漏洞详情
简要描述:
在Ecshop中缺乏对参数的有效过滤,导致一个SQL注射漏洞,成功利用该漏洞的攻击者可以获得数据库及站点的完全权限。
详细说明:
在include_libcommon.php中存在如下函数
function get_package_info($id)

{

    global $ecs, $db,$_CFG;

 

    $now = gmtime();

 

    $sql = "SELECT act_id AS id,  act_name AS package_name, goods_id , goods_name, start_time, end_time, act_desc, ext_info".

           " FROM " . $GLOBALS['ecs']->table('goods_activity') .

           " WHERE act_id='$id' AND act_type = " . GAT_PACKAGE;

 

    $package = $db->GetRow($sql);

 

    /* 将时间转成可阅读格式 */

    if ($package['start_time'] <= $now && $package['end_time'] >= $now)

    {

        $package['is_on_sale'] = "1";

    }

    else

    {

        $package['is_on_sale'] = "0";

    }

    $package['start_time'] = local_date('Y-m-d H:i', $package['start_time']);

    $package['end_time']   = local_date('Y-m-d H:i', $package['end_time']);

    $row = unserialize($package['ext_info']);

    unset($package['ext_info']);

    if ($row)

    {

        foreach ($row as $key=>$val)

        {

            $package[$key] = $val;

        }

    }

 

    $sql = "SELECT pg.package_id, pg.goods_id, pg.goods_number, pg.admin_id, ".

           " g.goods_sn, g.goods_name, g.market_price, g.goods_thumb, g.is_real, ".

           " IFNULL(mp.user_price, g.shop_price * '$_SESSION[discount]') AS rank_price " .

           " FROM " . $GLOBALS['ecs']->table('package_goods') . " AS pg ".

           "   LEFT JOIN ". $GLOBALS['ecs']->table('goods') . " AS g ".

           "   ON g.goods_id = pg.goods_id ".

           " LEFT JOIN " . $GLOBALS['ecs']->table('member_price') . " AS mp ".

                "ON mp.goods_id = g.goods_id AND mp.user_rank = '$_SESSION[user_rank]' ".

           " WHERE pg.package_id = " . $id. " ".

           " ORDER BY pg.package_id, pg.goods_id";

 

    $goods_res = $GLOBALS['db']->getAll($sql);

 

    $market_price        = 0;

其中$id没有经过严格过滤就直接进入了SQL查询,导致一个SQL注射漏洞。
漏洞证明:
在系统的lib_order.php中存在一个该函数的调用
function add_package_to_cart($package_id, $num = 1)

{

    $GLOBALS['err']->clean();

 

    /* 取得礼包信息 */

    $package = get_package_info($package_id);

 

    if (empty($package))

    {

        $GLOBALS['err']->add($GLOBALS['_LANG']['goods_not_exists'], ERR_NOT_EXISTS);

 

        return false;

    }

在flow.php中存在可控的输入源
$package = $json->decode($_POST['package_info']);

 

    /* 如果是一步购物,先清空购物车 */

    if ($_CFG['one_step_buy'] == '1')

    {

        clear_cart();

    }

 

    /* 商品数量是否合法 */

    if (!is_numeric($package->number) || intval($package->number) <= 0)

    {

        $result['error']   = 1;

        $result['message'] = $_LANG['invalid_number'];

    }

    else

    {

        /* 添加到购物车 */

        if (add_package_to_cart($package->package_id, $package->number))

        {

            if ($_CFG['cart_confirm'] > 2)


$package->package_id来源于输入
修复方案:
你猜啊~~~~
________________________________________
漏洞回应
厂商回应:未能联系到厂商或者厂商积极拒绝