当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-046480

漏洞标题:ECSHOP 后台sql注入漏洞2枚(鸡肋)

相关厂商:ShopEx

漏洞作者: Matt

提交时间:2013-12-19 17:25

修复时间:2014-03-19 17:26

公开时间:2014-03-19 17:26

漏洞类型:SQL注射漏洞

危害等级:低

自评Rank:5

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2013-12-19: 细节已通知厂商并且等待厂商处理中
2013-12-19: 厂商已经确认,细节仅向厂商公开
2013-12-22: 细节向第三方安全合作伙伴开放
2014-02-12: 细节向核心白帽子及相关领域专家公开
2014-02-22: 细节向普通白帽子公开
2014-03-04: 细节向实习白帽子公开
2014-03-19: 细节向公众公开

简要描述:

ECSHOP 后台注入漏洞

详细说明:

admin/affiliate_ck.php
if ($_REQUEST['act'] == 'list')
{
$logdb = get_affiliate_ck();
$smarty->assign('full_page', 1);
$smarty->assign('ur_here', $_LANG['affiliate_ck']);
$smarty->assign('on', $separate_on);
function get_affiliate_ck()
{
$affiliate = unserialize($GLOBALS['_CFG']['affiliate']);
empty($affiliate) && $affiliate = array();
$separate_by = $affiliate['config']['separate_by'];
$sqladd = '';
if (isset($_REQUEST['status']))
{
$sqladd = ' AND o.is_separate = ' . (int)$_REQUEST['status'];
$filter['status'] = (int)$_REQUEST['status'];
}
if (isset($_REQUEST['order_sn']))
{
$sqladd = ' AND o.order_sn LIKE \'%' . trim($_REQUEST['order_sn']) . '%\'';
$filter['order_sn'] = $_REQUEST['order_sn'];
}
if (isset($_GET['auid']))
{


漏洞2:

admin/agency.php
if ($_REQUEST['act'] == 'list')
{
$smarty->assign('ur_here', $_LANG['agency_list']);
$smarty->assign('action_link', array('text' => $_LANG['add_agency'], 'href' => 'agency.php?act=add'));
$smarty->assign('full_page', 1);
$agency_list = get_agencylist();
$smarty->assign('agency_list', $agency_list['agency']);
$smarty->assign('filter', $agency_list['filter']);
$smarty->assign('record_count', $agency_list['record_count']);
$smarty->assign('page_count', $agency_list['page_count']);
function get_agencylist()
{
$result = get_filter();
if ($result === false)
{
/* 初始化分页参数 */
$filter = array();
$filter['sort_by'] = empty($_REQUEST['sort_by']) ? 'agency_id' : trim($_REQUEST['sort_by']);//这俩个参数都可以注入
$filter['sort_order'] = empty($_REQUEST['sort_order']) ? 'DESC' : trim($_REQUEST['sort_order']);
/* 查询记录总数,计算分页数 */
$sql = "SELECT COUNT(*) FROM " . $GLOBALS['ecs']->table('agency');
$filter['record_count'] = $GLOBALS['db']->getOne($sql);
$filter = page_and_size($filter);
/* 查询记录 */
$sql = "SELECT * FROM " . $GLOBALS['ecs']->table('agency') . " ORDER BY $filter[sort_by] $filter[sort_order]";
set_filter($filter, $sql);
}
else
{
$sql = $result

漏洞证明:

测试方法
127.0.0.1/ec/admin/affiliate_ck.php?act=list&auid=1'

_20131219171825.jpg


测试方法
127.0.0.1/ec/admin/agency.php?act=list
POST 提交sort_by=111111'

_20131219172736.jpg

修复方案:

你猜

版权声明:转载请注明来源 Matt@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:3

确认时间:2013-12-19 17:44

厂商回复:

非常感谢您为shopex信息安全做的贡献
我们将尽快修复
非常感谢

最新状态:

暂无