ecshop the latest version of the front secondary injection series-vulnerability warning-the black bar safety net

2013-09-20T00:00:00
ID MYHACK58:62201340642
Type myhack58
Reporter blue
Modified 2013-09-20T00:00:00

Description

Brief description:

Secondary injection of the second piece, the point of injection, at least out of the database 6 times before it finally reaches the injection results page, of course, wholly controllable.

Detailed description:

The first injection results figure:

!

SQL injectionprocess:

  1. Insert the injection code(goods_attr)to the order items(/wholesale. php can be inserted,i.e., the commodity wholesale page, where goods_attr and Tick: ecshop latest version of the front secondary injection Series(1) .goods_attr_id is different, before the vulnerability that is normal on the product page Add to cart is not controlled goods_attr, at the time goods_attr from the database of product attributes table read).

!

  1. 1 to generate the orders in the user center order view page to perform the“put repurchase cart”operation.

!

  1. To view the shopping cart page, the injected code is executed

!

Code analysis:

1./includes/lib_order.php get_cart_goods()method(read the shopping cart of goods), the 1 6 2 6 row

/ Query specification /

if (trim($row['goods_attr']) != ")

{

$sql = "SELECT attr_value FROM" . $GLOBALS['ecs']->table('goods_attr') . "WHERE goods_attr_id" .

db_create_in($row['goods_attr']); //goods_attr is cart product attributes, so long as it can control the injection of code into the shopping cart of goods ok, this is a secondary injection of reason

$attr_list = $GLOBALS['db']->getCol($sql);

foreach ($attr_list AS $attr)

{

$row['goods_name'] .= '[' . $attr . '] '; //union select mode can be the content of the database queries out to the page

}

}

2. /wholesale.php 1 6 0 line play(the goods submitted to the shopping cart, is actually submitted to the$_SESSION)

/------------------------------------------------------ /

//-- Added to the cart

/------------------------------------------------------ /

elseif ($_REQUEST['act'] == 'add_to_cart')

{

/ Get parameters /

$act_id = intval($_POST['act_id']);

$goods_number = $_POST['goods_number'][$act_id];

$attr_id = isset($_POST['attr_id']) ? $_POST['attr_id'] : array();

if(isset($attr_id[$act_id]))

{

$goods_attr = $attr_id[$act_id]; //controllable, you can refer to me in the screenshots in the structure of the submitted data

}

...

3./wholesale.php 3 8 0 row(act=='submit_order'), will the$_SESSION data is written to order

/ Insert the order items /

foreach ($_SESSION['wholesale_goods'] as $goods)

{

//If there are goods

$product_id = 0;

if (! empty($goods['goods_attr_id']))

{

$goods_attr_id = array();

foreach ($goods['goods_attr_id'] as $value)

{

$goods_attr_id[$value['attr_id']] = $value['attr_val_id'];

}

ksort($goods_attr_id);

$goods_attr = implode('|', $goods_attr_id);

$sql = "SELECT product_id FROM" . $ecs->table('products') . "WHERE goods_attr = '$goods_attr' AND goods_id = '" . $goods['goods_id'] . "'";

$product_id = $db->getOne($sql);

}

$sql = "INSERT INTO" . $ecs->table('order_goods') . "( " .

"order_id, goods_id, goods_name, goods_sn, product_id, goods_number, market_price, ".

"goods_price, goods_attr, is_real, extension_code, parent_id, is_gift) ".

"SELECT '$new_order_id', goods_id, goods_name, goods_sn, '$product_id','$goods[goods_number]', market_price, ".

"'$goods[goods_price]', '$goods[goods_attr]', is_real, extension_code, 0, 0 ".

"FROM" .$ ecs->table('goods') .

"WHERE goods_id = '$goods[goods_id]'";

$db->query($sql);

  1. To 3 so far, it has been possible to inject code to write to the Orders table(order_goods), the next step is to enter shopping cart data table, in the user center, view the order when there is a"put the repo cart"operation, you can order items into the shopping cart data table(cart), and then on the View Cart page/flow. php that is able to see injection result(see 1 code analysis)

/includes/lib_transaction.php return_to_cart method 8 5 4 row

...

// To return the shopping cart of goods //about 9 2 3 line

$return_goods = array(

'goods_id' => $row['goods_id'],

'goods_sn' => addslashes($goods['goods_sn']),

'goods_name' => addslashes($goods['goods_name']),

'market_price' => $goods['market_price'],

'goods_price' => $goods['goods_price'],

'goods_number' => $row['goods_number'],

'goods_attr' => empty($row['goods_attr']) ? ": addslashes($row['goods_attr']), //look over here, focus on this, the$row is orders of goods, although the addslashes, but this is secondary injection, the final will be from the database and then out into the query to see 1 of the code analysis

'goods_attr_id' => empty($row['goods_attr_id']) ? ": $row['goods_attr_id'],

'is_real' => $goods['is_real'],

'extension_code'= > addslashes($goods['extension_code']),

'parent_id' => '0',

'is_gift' => '0',

'rec_type' => CART_GENERAL_GOODS

);

...

Vulnerability to prove:

!

!

Repair solutions:

/includes/lib_order.php get_cart_goods()method of the goods_attr filter