ecshop the goods_attr and goods_attr_id two secondary injection vulnerability detailed analysis-vulnerability warning-the black bar safety net

2013-07-31T00:00:00
ID MYHACK58:62201339998
Type myhack58
Reporter BLUE
Modified 2013-07-31T00:00:00

Description

A: goods_attr_id secondary injection

! 2 0 1 3 0 7 3 0 1 5 2 7 4 9 1 Injection use process:

  1. Add items to your cart, write the injection code to product attribute id

http://localhost/test/ecshop/flow.php?step=add_to_cart

POST: goods={"quick":1,"spec":["1 6 3","1 5 8'"],"goods_id":3 2,"number":"1","parent":0}

Note that the spec has two or more id

  1. In the View Cart page and click Update cart, to perform the injection of code(The secondary injection well, single quotes can be used)

Code analysis 1./includes/lib_goods.php 9 4 2 rows

function spec_price($spec) { if (! empty($spec)) { $where = db_create_in($spec, 'goods_attr_id'); //here is injection position, can control$spec can.

$sql = 'SELECT SUM(attr_price) AS attr_price FROM' . $GLOBALS['ecs']->table('goods_attr') . "WHERE $where"; $price = floatval($GLOBALS['db']->getOne($sql)); } else { $price = 0; } return $price; }

2./includes/lib_common.php 2 2 6 6 line get_final_price have spec_price call

  1. Look at get_final_price method call 在 ecshop/flow.php flow_update_cart Method, 2 2 7 2 line

/ Handling of General merchandise or non-preferential parts / else { $attr_id = empty($goods['goods_attr_id']) ? array() : explode(',', $goods['goods_attr_id']); //See,$attr_id is to read the shopping cart of goods goods_attr_id field, so long as in adding items to the shopping cart write the injection code on it $goods_price = get_final_price($goods['goods_id'], $val, true, $attr_id); //Update shopping cart in the number of goods $sql = "UPDATE" .$ GLOBALS['ecs']->table('cart'). "SET goods_number = '$val', goods_price = '$goods_price' WHERE rec_id='$key' AND session_id='" . SESS_ID . "'"; }

II: good_attr secondary injection 1. Insert the injection code(goods_attr)to the order items(/wholesale. php can be inserted,i.e., the commodity wholesale page.

! 2 0 1 3 0 7 3 0 1 5 2 8 2 0 2

  1. 1 to generate the orders in the user center order view page to perform the“put repurchase cart”operation.

  2. To view the shopping cart page, the injected code is executed

! 2 0 1 3 0 7 3 0 1 5 2 8 4 4 3

[1] [2] [3] next