ecshop include_libcommon.php SQL注射漏洞

发表于 2010年09月03日
Vulndb

发布时间：2010-08-21
影响版本：ECSHOP All Version
漏洞描述：在Ecshop中缺乏对参数的有效过滤，导致一个SQL注射漏洞，成功利用该漏洞的攻击者可以获得数据库及站点的完全权限

在include_libcommon.php中存在如下函数

function get_package_info($id)

{

global $ecs, $db,$_CFG;

$now = gmtime();

$sql = "SELECT act_id AS id,  act_name AS package_name, goods_id ,
goods_name, start_time, end_time, act_desc, ext_info".

" FROM " . $GLOBALS['ecs']->table('goods_activity') .

" WHERE act_id='$id' AND act_type = " . GAT_PACKAGE;

$package = $db->GetRow($sql);

/* 将时间转成可阅读格式 */

if ($package['start_time'] <= $now && $package['end_time'] >= $now)

{

$package['is_on_sale'] = "1";

}

else

{

$package['is_on_sale'] = "0";

}

$package['start_time'] = local_date('Y-m-d H:i',
$package['start_time']);

$package['end_time']   = local_date('Y-m-d H:i',
$package['end_time']);

$row = unserialize($package['ext_info']);

unset($package['ext_info']);

if ($row)

{

foreach ($row as $key=>$val)

{

$package[$key] = $val;

}

}

$sql = "SELECT pg.package_id, pg.goods_id, pg.goods_number,
pg.admin_id, ".

" g.goods_sn, g.goods_name, g.market_price,
g.goods_thumb, g.is_real, ".

" IFNULL(mp.user_price, g.shop_price *
'$_SESSION[discount]') AS rank_price " .

" FROM " . $GLOBALS['ecs']->table('package_goods') .
" AS pg ".

"   LEFT JOIN ". $GLOBALS['ecs']->table('goods') .
" AS g ".

"   ON g.goods_id = pg.goods_id ".

" LEFT JOIN " . $GLOBALS['ecs']->table('member_price') .
" AS mp ".

"ON mp.goods_id = g.goods_id AND mp.user_rank =
'$_SESSION[user_rank]' ".

" WHERE pg.package_id = " . $id. " ".

" ORDER BY pg.package_id, pg.goods_id";

$goods_res = $GLOBALS['db']->getAll($sql);

$market_price        = 0;

function get_package_info($id)

{

global $ecs, $db,$_CFG;

$now = gmtime();

$sql = "SELECT act_id AS id, act_name AS package_name, goods_id ,

goods_name, start_time, end_time, act_desc, ext_info".

" FROM " . $GLOBALS['ecs']->table('goods_activity') .

" WHERE act_id='$id' AND act_type = " . GAT_PACKAGE;

$package = $db->GetRow($sql);

/* 将时间转成可阅读格式 */

if ($package['start_time'] <= $now && $package['end_time'] >= $now)

{

$package['is_on_sale'] = "1";

}

else

{

$package['is_on_sale'] = "0";

}

$package['start_time'] = local_date('Y-m-d H:i',

$package['start_time']);

$package['end_time'] = local_date('Y-m-d H:i',

$package['end_time']);

$row = unserialize($package['ext_info']);

unset($package['ext_info']);

if ($row)

{

foreach ($row as $key=>$val)

{

$package[$key] = $val;

}

$sql = "SELECT pg.package_id, pg.goods_id, pg.goods_number,

pg.admin_id, ".

" g.goods_sn, g.goods_name, g.market_price,

g.goods_thumb, g.is_real, ".

" IFNULL(mp.user_price, g.shop_price *

'$_SESSION[discount]') AS rank_price " .

" FROM " . $GLOBALS['ecs']->table('package_goods') .

" AS pg ".

" LEFT JOIN ". $GLOBALS['ecs']->table('goods') .

" AS g ".

" ON g.goods_id = pg.goods_id ".

" LEFT JOIN " . $GLOBALS['ecs']->table('member_price') .

" AS mp ".

"ON mp.goods_id = g.goods_id AND mp.user_rank =

'$_SESSION[user_rank]' ".

" WHERE pg.package_id = " . $id. " ".

" ORDER BY pg.package_id, pg.goods_id";

$goods_res = $GLOBALS['db']->getAll($sql);

$market_price = 0;

其中$id没有经过严格过滤就直接进入了SQL查询，导致一个SQL注射漏洞。

测试方法：

本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!

在系统的lib_order.php中存在一个该函数的调用

function add_package_to_cart($package_id, $num = 1)

{

$GLOBALS['err']->clean();

/* 取得礼包信息 */

$package = get_package_info($package_id);

if (empty($package))

{

$GLOBALS['err']->add($GLOBALS['_LANG']['goods_not_exists'],
ERR_NOT_EXISTS);

return false;

}

在flow.php中存在可控的输入源

$package = $json->decode($_POST['package_info']);

/* 如果是一步购物，先清空购物车 */

if ($_CFG['one_step_buy'] == '1')

{

clear_cart();

}

/* 商品数量是否合法 */

if (!is_numeric($package->number) || intval($package->number) <= 0)

{

$result['error']   = 1;

$result['message'] = $_LANG['invalid_number'];

}

else

{

/* 添加到购物车 */

if (add_package_to_cart($package->package_id, $package->number))

{

if ($_CFG['cart_confirm'] > 2)

$package->package_id来源于输入