乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-12-19: 细节已通知厂商并且等待厂商处理中 2013-12-19: 厂商已经确认,细节仅向厂商公开 2013-12-22: 细节向第三方安全合作伙伴开放 2014-02-12: 细节向核心白帽子及相关领域专家公开 2014-02-22: 细节向普通白帽子公开 2014-03-04: 细节向实习白帽子公开 2014-03-19: 细节向公众公开
ECSHOP 后台注入漏洞
admin/affiliate_ck.phpif ($_REQUEST['act'] == 'list'){ $logdb = get_affiliate_ck(); $smarty->assign('full_page', 1); $smarty->assign('ur_here', $_LANG['affiliate_ck']); $smarty->assign('on', $separate_on);function get_affiliate_ck(){ $affiliate = unserialize($GLOBALS['_CFG']['affiliate']); empty($affiliate) && $affiliate = array(); $separate_by = $affiliate['config']['separate_by']; $sqladd = ''; if (isset($_REQUEST['status'])) { $sqladd = ' AND o.is_separate = ' . (int)$_REQUEST['status']; $filter['status'] = (int)$_REQUEST['status']; } if (isset($_REQUEST['order_sn'])) { $sqladd = ' AND o.order_sn LIKE \'%' . trim($_REQUEST['order_sn']) . '%\''; $filter['order_sn'] = $_REQUEST['order_sn']; } if (isset($_GET['auid'])) {
漏洞2:
admin/agency.phpif ($_REQUEST['act'] == 'list'){ $smarty->assign('ur_here', $_LANG['agency_list']); $smarty->assign('action_link', array('text' => $_LANG['add_agency'], 'href' => 'agency.php?act=add')); $smarty->assign('full_page', 1); $agency_list = get_agencylist(); $smarty->assign('agency_list', $agency_list['agency']); $smarty->assign('filter', $agency_list['filter']); $smarty->assign('record_count', $agency_list['record_count']); $smarty->assign('page_count', $agency_list['page_count']);function get_agencylist(){ $result = get_filter(); if ($result === false) { /* 初始化分页参数 */ $filter = array(); $filter['sort_by'] = empty($_REQUEST['sort_by']) ? 'agency_id' : trim($_REQUEST['sort_by']);//这俩个参数都可以注入 $filter['sort_order'] = empty($_REQUEST['sort_order']) ? 'DESC' : trim($_REQUEST['sort_order']); /* 查询记录总数,计算分页数 */ $sql = "SELECT COUNT(*) FROM " . $GLOBALS['ecs']->table('agency'); $filter['record_count'] = $GLOBALS['db']->getOne($sql); $filter = page_and_size($filter); /* 查询记录 */ $sql = "SELECT * FROM " . $GLOBALS['ecs']->table('agency') . " ORDER BY $filter[sort_by] $filter[sort_order]"; set_filter($filter, $sql); } else { $sql = $result
测试方法127.0.0.1/ec/admin/affiliate_ck.php?act=list&auid=1'
测试方法 127.0.0.1/ec/admin/agency.php?act=listPOST 提交sort_by=111111'
你猜
危害等级:低
漏洞Rank:3
确认时间:2013-12-19 17:44
非常感谢您为shopex信息安全做的贡献我们将尽快修复非常感谢
暂无