ECSHOP商城系统过滤不严导致SQL注入漏洞

2016-07-07 15:22 来源:www.chinab4c.com 作者:ecshop专家

添加时间:
2010-10-01

影响版本:
ECSHOP 2.7.2 Release 0604

程序介绍: ECSHOP是一款开源免费的网上商店系统。由专业的开发团队升级维护,为您提供及时高效的技术支持,您还可以根据自己的商务特征对ECSHOP进行定制,增加自己商城的特色功能。

漏洞分析:
在include_libcommon.php中存在如下函数



  3. function get_package_info($id)

  5. {

  7. global $ecs, $db,$_CFG;



  11. $now = gmtime();



  15. $sql = "SELECT act_id AS id,act_name AS package_name, goods_id , goods_name, start_time, end_time, act_desc, ext_info".

  17. " FROM " . $GLOBALS['ecs']->table('goods_activity') .

  19. " WHERE act_id='$id' AND act_type = " . GAT_PACKAGE;



  23. $package = $db->GetRow($sql);



  27. /* 将时间转成可阅读格式 */

  29. if ($package['start_time'] <= $now && $package['end_time'] >= $now)

  31. {

  33. $package['is_on_sale'] = "1";

  35. }

  37. else

  39. {

  41. $package['is_on_sale'] = "0";

  43. }

  45. $package['start_time'] = local_date('Y-m-d H:i', $package['start_time']);

  47. $package['end_time']= local_date('Y-m-d H:i', $package['end_time']);

  49. $row = unserialize($package['ext_info']);

  51. unset($package['ext_info']);

  53. if ($row)

  55. {

  57. foreach ($row as $key=>$val)

  59. {

  61. $package[$key] = $val;

  63. }

  65. }



  69. $sql = "SELECT pg.package_id, pg.goods_id, pg.goods_number, pg.admin_id, ".

  71. " g.goods_sn, g.goods_name, g.market_price, g.goods_thumb, g.is_real, ".

  73. " IFNULL(mp.user_price, g.shop_price * '$_SESSION[discount]') AS rank_price " .

  75. " FROM " . $GLOBALS['ecs']->table('package_goods') . " AS pg ".

  77. "LEFT JOIN ". $GLOBALS['ecs']->table('goods') . " AS g ".

  79. "ON g.goods_id = pg.goods_id ".

  81. " LEFT JOIN " . $GLOBALS['ecs']->table('member_price') . " AS mp ".

  83. "ON mp.goods_id = g.goods_id AND mp.user_rank = '$_SESSION[user_rank]' ".

  85. " WHERE pg.package_id = " . $id. " ".

  87. " ORDER BY pg.package_id, pg.goods_id";



  91. $goods_res = $GLOBALS['db']->getAll($sql);



  95. $market_price= 0;
复制代码


其中$id没有经过严格过滤就直接进入了SQL查询,导致一个SQL注射漏洞。
在系统的lib_order.php中存在一个该函数的调用
  1. function add_package_to_cart($package_id, $num = 1)

  3. {

  5. $GLOBALS['err']->clean();



  9. /* 取得礼包信息 */

  11. $package = get_package_info($package_id);



  15. if (emptyempty($package))

  17. {

  19. $GLOBALS['err']->add($GLOBALS['_LANG']['goods_not_exists'], ERR_NOT_EXISTS);



  23. return false;

  25. }
复制代码


在flow.php中存在可控的输入源
  1. $package = $json->decode($_POST['package_info']);



  5. /* 如果是一步购物,先清空购物车 */

  7. if ($_CFG['one_step_buy'] == '1')

  9. {

  11. clear_cart();

  13. }



  17. /* 商品数量是否合法 */

  19. if (!is_numeric($package->number) || intval($package->number) <= 0)

  21. {

  23. $result['error'] = 1;

  25. $result['message'] = $_LANG['invalid_number'];

  27. }

  29. else

  31. {

  33. /* 添加到购物车 */

  35. if (add_package_to_cart($package->package_id, $package->number))

  37. {

  39. if ($_CFG['cart_confirm'] > 2)
复制代码


$package->package_id来源于输入

解决方案:
厂商补丁
ECSHOP
----------
目前厂商还没有提供补丁或者升级程序

回答:
关注一下。

收藏一下啊

安全问题很重要