当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-046480

漏洞标题:ECSHOP 后台sql注入漏洞2枚(鸡肋)

相关厂商:ShopEx

漏洞作者: Matt

提交时间:2013-12-19 17:25

修复时间:2014-03-19 17:26

公开时间:2014-03-19 17:26

漏洞类型:SQL注射漏洞

危害等级:低

自评Rank:5

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-12-19: 细节已通知厂商并且等待厂商处理中
2013-12-19: 厂商已经确认,细节仅向厂商公开
2013-12-22: 细节向第三方安全合作伙伴开放
2014-02-12: 细节向核心白帽子及相关领域专家公开
2014-02-22: 细节向普通白帽子公开
2014-03-04: 细节向实习白帽子公开
2014-03-19: 细节向公众公开

简要描述:

ECSHOP 后台注入漏洞

详细说明:

admin/affiliate_ck.php
if ($_REQUEST['act'] == 'list')
{
    $logdb = get_affiliate_ck();
    $smarty->assign('full_page',  1);
    $smarty->assign('ur_here', $_LANG['affiliate_ck']);
    $smarty->assign('on', $separate_on);
function get_affiliate_ck()
{
    $affiliate = unserialize($GLOBALS['_CFG']['affiliate']);
    empty($affiliate) && $affiliate = array();
    $separate_by = $affiliate['config']['separate_by'];
    $sqladd = '';
    if (isset($_REQUEST['status']))
    {
        $sqladd = ' AND o.is_separate = ' . (int)$_REQUEST['status'];
        $filter['status'] = (int)$_REQUEST['status'];
    }
    if (isset($_REQUEST['order_sn']))
    {
        $sqladd = ' AND o.order_sn LIKE \'%' . trim($_REQUEST['order_sn']) . '%\'';
        $filter['order_sn'] = $_REQUEST['order_sn'];
    }
    if (isset($_GET['auid']))
    {


漏洞2:

admin/agency.php
if ($_REQUEST['act'] == 'list')
{
    $smarty->assign('ur_here',      $_LANG['agency_list']);
    $smarty->assign('action_link',  array('text' => $_LANG['add_agency'], 'href' => 'agency.php?act=add'));
    $smarty->assign('full_page',    1);
    $agency_list = get_agencylist();
    $smarty->assign('agency_list',  $agency_list['agency']);
    $smarty->assign('filter',       $agency_list['filter']);
    $smarty->assign('record_count', $agency_list['record_count']);
    $smarty->assign('page_count',   $agency_list['page_count']);
function get_agencylist()
{
    $result = get_filter();
    if ($result === false)
    {
        /* 初始化分页参数 */
        $filter = array();
        $filter['sort_by']    = empty($_REQUEST['sort_by']) ? 'agency_id' : trim($_REQUEST['sort_by']);//这俩个参数都可以注入
        $filter['sort_order'] = empty($_REQUEST['sort_order']) ? 'DESC' : trim($_REQUEST['sort_order']);
        /* 查询记录总数,计算分页数 */
        $sql = "SELECT COUNT(*) FROM " . $GLOBALS['ecs']->table('agency');
        $filter['record_count'] = $GLOBALS['db']->getOne($sql);
        $filter = page_and_size($filter);
        /* 查询记录 */
        $sql = "SELECT * FROM " . $GLOBALS['ecs']->table('agency') . " ORDER BY $filter[sort_by] $filter[sort_order]";
        set_filter($filter, $sql);
    }
    else
    {
        $sql    = $result

漏洞证明:

测试方法
127.0.0.1/ec/admin/affiliate_ck.php?act=list&auid=1'

_20131219171825.jpg


测试方法
127.0.0.1/ec/admin/agency.php?act=list
POST 提交sort_by=111111'

_20131219172736.jpg

修复方案:

你猜

版权声明:转载请注明来源 Matt@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:3

确认时间:2013-12-19 17:44

厂商回复:

非常感谢您为shopex信息安全做的贡献
我们将尽快修复
非常感谢

最新状态:

暂无