ECShop 2.7.2 red packet injection vulnerability and repair

 

Brief description:

The flow. php page looks like an intval red envelope ID, which can actually be injected. The following articles only speculate from the code that the test was not conducted, but this is too obvious. We will not test it. If you fail to test the official website, please refer to the post, and the death rhythm technical team and the evil spirits team will pass.

Detailed description:

/Flow. php starts at line 1

$ Bonus = bonus_info (intval ($ _ GET ['bonus']);

 

 

 

If ((! Empty ($ bonus) & $ bonus ['user _ id'] ==$ _ SESSION ['user _ id']) | $ _ GET ['bonus'] = 0)

 

{

 

$ Order ['bonus _ id'] = $ _ GET ['bonus'];

 

}

 

Else

 

{

 

$ Order ['bonus _ id'] = 0;

 

$ Result ['error'] = $ _ LANG ['invalid _ bonus'];

 

}

 

 

 

/* Calculate the order fee */

 

$ Total = order_ne( $ order, $ cart_goods, $ consignee );

 

$ Bonus = bonus_info (intval ($ _ GET ['bonus']);

The above sentence seems to have changed $ _ GET ['bonus'] to an integer. That's right. This sentence is okay. Let's continue to look at it,

If ((! Empty ($ bonus) & $ bonus ['user _ id'] ==$ _ SESSION ['user _ id']) | $ _ GET ['bonus'] = 0)

 

{

 

$ Order ['bonus _ id'] = $ _ GET ['bonus'];

 

}

 

The code above shows: If you GET the red envelope information through the GET red envelope ID and the red envelope belongs to you,

Execute the following sentence:

$ Order ['bonus _ id'] = $ _ GET ['bonus'];

 

No. Here, $ order ['bonus _ id'] gets an unfiltered red envelope id,

Then

The following sentence

/* Calculate the order fee */

 

$ Total = order_ne( $ order, $ cart_goods, $ consignee );

 

The unfiltered red envelope ID enters the order_detail function to check the code of this function (in/mongodes/lib_order.php ),

Function order_detail ($ order, $ goods, $ consignee)

 

{

 

//... Omit several rows to 643 rows,

 

 

 

If (! Empty ($ order ['bonus _ id'])

 

{

 

$ Bonus = bonus_info ($ order ['bonus _ id']);

 

$ Total ['bonus'] = $ bonus ['Type _ money'];

 

}

 

}

 

The unfiltered red envelope ID enters the bonus_info function again. This function is also in the above file,

To 1408 rows

Function bonus_info ($ bonus_id, $ bonus_sn = '')

 

{

 

$ SQL = "SELECT t. *, B .*".

 

"FROM". $ GLOBALS ['ecs']-> table ('bonus _ type'). "AS t ,".

 

$ GLOBALS ['ecs']-> table ('user _ bonus'). "AS B ".

 

"WHERE t. type_id = B. bonus_type_id ";

 

If ($ bonus_id> 0)

 

{

 

$ SQL. = "AND B. bonus_id = '$ bonus_id '";

 

}

 

Else

 

{

 

$ SQL. = "AND B. bonus_sn = '$ bonus_sn '";

 

}

 

 

 

Return $ GLOBALS ['db']-> getRow ($ SQL );

 

}

 

It happens that the string is greater than 0, so the injection string can smoothly enter the SQL statement. Well, the hacker gets lucky, and the rank value is more

Proof of vulnerability:

I won't prove it. Read the code myself.

Solution:

In the function bonus_info ($ bonus_id, $ bonus_sn = ''), do you want to set $ bonus_id intval to OK?

 

 

Author: tenzy @ wooyun