ecshop /api/client/api.php、/api/client/includes/lib

ecshop /api/client/api.php、/api/client/includes/lib_api.php SQL Injection Vul

最後更新：2015-05-23 來源：互聯網

上載者：User

創建阿里雲帳戶，並獲得超過 40 款產品的免費試用版；而企業帳戶則可以享有總值 $1200 的免費試用版。立即註冊！

標籤：

catalog

1. 漏洞描述2. 漏洞觸發條件3. 漏洞影響範圍4. 漏洞程式碼分析5. 防禦方法6. 攻防思考

1. 漏洞描述

ECShop存在一個盲注漏洞，問題存在於/api/client/api.php檔案中，提交特製的惡意POST請求可進行SQL注入攻擊，可獲得敏感資訊或操作資料庫

http://sebug.net/vuldb/ssvid-21007

2. 漏洞觸發條件

1. /api/client/api.php存在未過濾漏洞2. 伺服器magic_quote_gpc = off //magic_quote_gpc特性已自 PHP 5.3.0 起廢棄並將自 PHP 5.4.0 起移除，即預設情況下，magic_quote_gpc = Off

0x1: POC

http://localhost/ecshop2.7.2/api/client/api.php?Action=UserLoginPOST: UserId=%27%20or%20user_id=1%23

Relevant Link:

http://php.net/manual/zh/info.configuration.php

3. 漏洞影響範圍
4. 漏洞程式碼分析

/api/client/api.php

<?phpdefine(‘IN_ECS‘, true);include_once ‘./includes/init.php‘;//分發處理POST資料dispatch($_POST);?>

/api/client/includes/lib_api.php

function dispatch($post){    // 分發器數組    $func_arr = array(‘GetDomain‘, ‘UserLogin‘, ‘AddCategory‘, ‘AddBrand‘, ‘AddGoods‘, ‘GetCategory‘, ‘GetBrand‘, ‘GetGoods‘, ‘DeleteBrand‘, ‘DeleteCategory‘, ‘DeleteGoods‘, ‘EditBrand‘, ‘EditCategory‘, ‘EditGoods‘);    //當$_POST[‘Action‘] == ‘UserLogin‘的時候調用API_UserLogin    if(in_array($post[‘Action‘], $func_arr) && function_exists(‘API_‘.$post[‘Action‘]))    {        return call_user_func(‘API_‘.$post[‘Action‘], $post);    }    else    {        API_Error();    }}

/api/client/includes/lib_api.php

function API_UserLogin($post){    $post[‘username‘] = isset($post[‘UserId‘]) ? trim($post[‘UserId‘]) : ‘‘;    $post[‘password‘] = isset($post[‘Password‘]) ? strtolower(trim($post[‘Password‘])) : ‘‘;    /* 檢查密碼是否正確 */    //$post[‘username‘]未進行過濾，造成盲注漏洞，參數是直接從原始$_POST擷取的，未進行任何預先處理，不受核心過濾影響    $sql = "SELECT user_id, user_name, password, action_list, last_login".    " FROM " . $GLOBALS[‘ecs‘]->table(‘admin_user‘) .    " WHERE user_name = ‘" . $post[‘username‘]. "‘";    $row = $GLOBALS[‘db‘]->getRow($sql);    ..

Relevant Link:

http://www.wooyun.org/bugs/wooyun-2010-02969

5. 防禦方法

/api/client/includes/lib_api.php

function API_UserLogin($post){    /* SQL注入過濾 */    if (get_magic_quotes_gpc())     {             $post[‘UserId‘] = $post[‘UserId‘]         }     else     {             $post[‘UserId‘] = addslashes($post[‘UserId‘]);         }    /* */    $post[‘username‘] = isset($post[‘UserId‘]) ? trim($post[‘UserId‘]) : ‘‘;    ..

Relevant Link:

http://www.topit.cn/ecshop-tutorial/ecshop_mangzhu_bug_for_ecshop_v2.7.2-195.html

6. 攻防思考

ecshop /api/client/api.php、/api/client/includes/lib_api.php SQL Injection Vul

本文章原先以中文撰寫並發佈於 aliyun.com，亦設英文版本，僅作資訊用途。本網站不對文章的準確性，完整性或可靠性或其任何翻譯作出任何明示或暗示的陳述或保證。如對該文章有任何疑慮或投訴，請傳送電郵至 info-contact@alibabacloud.com 並提供相關疑慮或投訴的詳細說明。職員會於 5 個工作天內與您聯絡，一經驗證之後，即會刪除該侵權內容。

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More