易想团购(easethink) v1.4 /ajax.php check_field 参数 SQL注入漏洞

2014-01-02T00:00:00
ID SSV:62560
Type seebug
Reporter Root
Modified 2014-01-02T00:00:00

Description

漏洞相关文件

1. /ajax.php

``` if($_REQUEST['act']=='count_buy_total') { require_once APP_ROOT_PATH."system/libs/cart.php"; $region_id = intval($_REQUEST['region_id']); //配送地区 $delivery_id = intval($_REQUEST['delivery_id']); //配送方式 $account_money = floatval($_REQUEST['account_money']); //余额 $ecvsn = $_REQUEST['ecvsn']?$_REQUEST['ecvsn']:''; $ecvpassword = $_REQUEST['ecvpassword']?$_REQUEST['ecvpassword']:''; $payment = intval($_REQUEST['payment']); $all_account_money = intval($_REQUEST['all_account_money']);

$user_id = intval($GLOBALS['user_info']['id']);
$session_id = session_id();
$goods_list = $GLOBALS['db']->getAll("select * from ".DB_PREFIX."deal_cart where session_id='".$session_id."' and user_id=".$user_id);

$result = count_buy_total($region_id,$delivery_id,$payment,$account_money,$all_account_money,$ecvsn,$ecvpassword,$goods_list);


$GLOBALS['tmpl']->assign("result",$result);
$html = $GLOBALS['tmpl']->fetch("inc/cart/cart_total.html");
$data = $result;
$data['html'] = $html;

ajax_return($data);

} ```

文件中红色处看到ecvsn变量和 ecvpassword 变量均是外部获取的,表示可控。而后带入了count_buy_total 函数中,count_buy_total函数的定义在:

2. \system\libs\cart.php

``` function count_buy_total($region_id,$delivery_id,$payment,$account_money,$all_account_money,$ecvsn,$ecvpassword,$goods_list,$paid_account_money = 0,$paid_ecv_money = 0) { //获取商品总价 //计算运费 $pay_price = 0; //支付总价 $total_price = 0; $total_weight = 0; $return_total_score = 0; $return_total_money = 0; $is_delivery = 0; foreach($goods_list as $k=>$v) { $total_price += $v['total_price'];

    $deal_info = $GLOBALS['db']->getRow("select * from ".DB_PREFIX."deal where id = ".$v['deal_id']);

    if($deal_info['is_delivery'] == 1) //需要配送叠加重量
    {
        $deal_weight = floatval($deal_info['weight']); //团购商品的单位重量

        $deal_weight_unit = $GLOBALS['db']->getRowCached("select * from ".DB_PREFIX."weight_unit where id = ".$deal_info['weight_id']);  //团购的重单单价

        $deal_weight = $deal_weight * $deal_weight_unit['rate'];  //转换为为1的重量

        $total_weight += ($deal_weight*$v['number']);

        $is_delivery = 1;
    }

    $return_total_money = $return_total_money + $deal_info['return_money'] * $v['number'];
    $return_total_score = $return_total_score + $deal_info['return_score'] * $v['number'];
}

$region_info = $GLOBALS['db']->getRowCached("select * from ".DB_PREFIX."delivery_region where id = ".intval($region_id));
$delivery_info = $GLOBALS['db']->getRowCached("select * from ".DB_PREFIX."delivery where id = ".intval($delivery_id));
$delivery_fee = count_delivery_fee($total_weight,$region_id, intval($delivery_info['id']));
$pay_price = $total_price + $delivery_fee; //加上运费

$pay_price = $pay_price - $paid_account_money - $paid_ecv_money;

//先计算用户等级折扣
$user_id = intval($GLOBALS['user_info']['id']);
$group_info = $GLOBALS['db']->getRow("select g.* from ".DB_PREFIX."user as u left join ".DB_PREFIX."user_group as g on u.group_id = g.id where u.id = ".$user_id);
if($group_info&&$total_price>0)
$user_discount = $total_price * (1-floatval($group_info['discount']));  
else
$user_discount = 0;
$pay_price = $pay_price - $user_discount; //扣除用户折扣

//余额支付
$user_money = $GLOBALS['db']->getOne("select money from ".DB_PREFIX."user where id = ".$user_id);
if($all_account_money == 1)
{
    $account_money = $user_money;
}

if($account_money>$user_money)
$account_money = $user_money;  //余额支付量不能超过帐户余额

//开始计算代金券
$now = get_gmtime();
$ecv_sql = "select e.* from ".DB_PREFIX."ecv as e left join ".
            DB_PREFIX."ecv_type as et on e.ecv_type_id = et.id where e.sn = '".
            $ecvsn."' and e.password = '".
            $ecvpassword."' and ((e.begin_time <> 0 and e.begin_time < ".$now.") or e.begin_time = 0) and ".
            "((e.end_time <> 0 and e.end_time > ".$now.") or e.end_time = 0) and ((e.use_limit <> 0 and e.use_limit > e.use_count) or (e.use_limit = 0)) ".
            "and (e.user_id = ".$user_id." or e.user_id = 0)";
$ecv_data = $GLOBALS['db']->getRow($ecv_sql);
$ecv_money = $ecv_data['money'];

```

在最后处看到ecv_sql的语句包含了之前的ecvsn变量,且没有经过任何过滤,之后就带入了数据库进行取值,直接导致了SQL注入漏洞。