2014-07-11: 细节已通知厂商并且等待厂商处理中 2014-07-11: 厂商已经确认,细节仅向厂商公开 2014-07-14: 细节向第三方安全合作伙伴开放 2014-09-04: 细节向核心白帽子及相关领域专家公开 2014-09-14: 细节向普通白帽子公开 2014-09-24: 细节向实习白帽子公开 2014-10-09: 细节向公众公开
RT。
首先注册一个会员 然后申请开店ECmall 在添加一个商品的时候可以从csv 中导入 看看代码。在app/my_goods.app.php中
function import() { if (!IS_POST) { $this->assign('note_for_import', sprintf(LANG::get('note_for_import'), CHARSET)); /* 当前页面信息 */ $this->_curlocal(LANG::get('member_center'), 'index.php?app=member', LANG::get('my_goods'), 'index.php?app=my_goods', LANG::get('import')); $this->_curitem('my_goods'); $this->_curmenu('import'); $this->assign('page_title', Lang::get('member_center') . Lang::get('my_goods')); $this->display('common.import.html'); } else { $file = $_FILES['csv']; if ($file['error'] != UPLOAD_ERR_OK) { $this->show_warning('select_file'); return; } /* 取得还能上传的商品数,false表示不限制 */ $store_mod =& m('store'); $settings = $store_mod->get_settings($this->_store_id); $remain = $settings['goods_limit'] > 0 ? $settings['goods_limit'] - $this->_goods_mod->get_count() : false; $data = $this->import_from_csv($file['tmp_name'], false, $_POST['charset'], CHARSET); foreach ($data as $row) { /* 如果商品数超过限制了,中断 */ if ($remain !== false) { if ($remain <= 0) { $this->show_warning('goods_limit_arrived'); return; } else { $remain--; } } $goods_name = trim($row[0]); if (!$goods_name || $this->_goods_mod->get("goods_name = '$goods_name'")) { // 商品名为空或已存在,不处理 continue; } $image_url = trim($row[5]); $thumbnail = trim($row[6]); $goods = array( 'type' => 'material', 'spec_qty' => 0, 'if_show' => 1, 'closed' => 0, 'add_time' => gmtime(), 'last_update' => gmtime(), 'recommended' => 1, 'goods_name' => $goods_name, 'brand' => trim($row[1]), 'description' => trim($row[4]), 'default_image' => $thumbnail, ); $goods_id = $this->_goods_mod->add($goods); if ($this->_goods_mod->has_error()) { $this->show_warning($this->_goods_mod->get_error()); return; } $spec = array( 'goods_id' => $goods_id, 'price' => floatval($row[2]), 'stock' => intval($row[3]), 'sku' => $row[4], ); $spec_id = $this->_spec_mod->add($spec); if ($this->_spec_mod->has_error())
$data = $this->import_from_csv($file['tmp_name'], false, $_POST['charset'], CHARSET); foreach ($data as $row) { /* 如果商品数超过限制了,中断 */ if ($remain !== false) { if ($remain <= 0) { $this->show_warning('goods_limit_arrived'); return; } else { $remain--; } } $goods_name = trim($row[0]); if (!$goods_name || $this->_goods_mod->get("goods_name = '$goods_name'")) { // 商品名为空或已存在,不处理 continue; } $image_url = trim($row[5]); $thumbnail = trim($row[6]);
可以看到这些 $image_url = trim($row[5]); $thumbnail = trim($row[6]); 循环出来之后都没过滤。而且因为是$_FILES 所以没有转义。然后带入了各种查询。
$goods = array( 'type' => 'material', 'spec_qty' => 0, 'if_show' => 1, 'closed' => 0, 'add_time' => gmtime(), 'last_update' => gmtime(), 'recommended' => 1, 'goods_name' => $goods_name, 'brand' => trim($row[1]), 'description' => trim($row[4]), 'default_image' => $thumbnail, ); $goods_id = $this->_goods_mod->add($goods);
利用这里来注入把。 随便找一个点。
新建一个这样的csv。
然后导入。
成功
见上
addslashes
危害等级:低
漏洞Rank:3
确认时间:2014-07-11 11:41
谢谢您的支持,针对补丁包和安装文件已经做更新非常感谢您为shopex信息安全做的贡献
暂无