ECSHOP商城系统过滤不严导致SQL注入漏洞

2016-07-07 15:22 来源:www.chinab4c.com 作者:ecshop专家

添加时间:
2010-10-01

影响版本:
ECSHOP 2.7.2 Release 0604

程序介绍: ECSHOP是一款开源免费的网上商店系统。由专业的开发团队升级维护,为您提供及时高效的技术支持,您还可以根据自己的商务特征对ECSHOP进行定制,增加自己商城的特色功能。

漏洞分析:
在include_libcommon.php中存在如下函数



  1. function get_package_info($id)

  2. {

  3. global $ecs, $db,$_CFG;



  4. $now = gmtime();



  5. $sql = "SELECT act_id AS id,act_name AS package_name, goods_id , goods_name, start_time, end_time, act_desc, ext_info".

  6. " FROM " . $GLOBALS['ecs']->table('goods_activity') .

  7. " WHERE act_id='$id' AND act_type = " . GAT_PACKAGE;



  8. $package = $db->GetRow($sql);



  9. /* 将时间转成可阅读格式 */

  10. if ($package['start_time'] <= $now && $package['end_time'] >= $now)

  11. {

  12. $package['is_on_sale'] = "1";

  13. }

  14. else

  15. {

  16. $package['is_on_sale'] = "0";

  17. }

  18. $package['start_time'] = local_date('Y-m-d H:i', $package['start_time']);

  19. $package['end_time']= local_date('Y-m-d H:i', $package['end_time']);

  20. $row = unserialize($package['ext_info']);

  21. unset($package['ext_info']);

  22. if ($row)

  23. {

  24. foreach ($row as $key=>$val)

  25. {

  26. $package[$key] = $val;

  27. }

  28. }



  29. $sql = "SELECT pg.package_id, pg.goods_id, pg.goods_number, pg.admin_id, ".

  30. " g.goods_sn, g.goods_name, g.market_price, g.goods_thumb, g.is_real, ".

  31. " IFNULL(mp.user_price, g.shop_price * '$_SESSION[discount]') AS rank_price " .

  32. " FROM " . $GLOBALS['ecs']->table('package_goods') . " AS pg ".

  33. "LEFT JOIN ". $GLOBALS['ecs']->table('goods') . " AS g ".

  34. "ON g.goods_id = pg.goods_id ".

  35. " LEFT JOIN " . $GLOBALS['ecs']->table('member_price') . " AS mp ".

  36. "ON mp.goods_id = g.goods_id AND mp.user_rank = '$_SESSION[user_rank]' ".

  37. " WHERE pg.package_id = " . $id. " ".

  38. " ORDER BY pg.package_id, pg.goods_id";



  39. $goods_res = $GLOBALS['db']->getAll($sql);



  40. $market_price= 0;
复制代码


其中$id没有经过严格过滤就直接进入了SQL查询,导致一个SQL注射漏洞。
在系统的lib_order.php中存在一个该函数的调用

  1. function add_package_to_cart($package_id, $num = 1)

  2. {

  3. $GLOBALS['err']->clean();



  4. /* 取得礼包信息 */

  5. $package = get_package_info($package_id);



  6. if (emptyempty($package))

  7. {

  8. $GLOBALS['err']->add($GLOBALS['_LANG']['goods_not_exists'], ERR_NOT_EXISTS);



  9. return false;

  10. }
复制代码


在flow.php中存在可控的输入源
  1. $package = $json->decode($_POST['package_info']);



  2. /* 如果是一步购物,先清空购物车 */

  3. if ($_CFG['one_step_buy'] == '1')

  4. {

  5. clear_cart();

  6. }



  7. /* 商品数量是否合法 */

  8. if (!is_numeric($package->number) || intval($package->number) <= 0)

  9. {

  10. $result['error'] = 1;

  11. $result['message'] = $_LANG['invalid_number'];

  12. }

  13. else

  14. {

  15. /* 添加到购物车 */

  16. if (add_package_to_cart($package->package_id, $package->number))

  17. {

  18. if ($_CFG['cart_confirm'] > 2)
复制代码


$package->package_id来源于输入

解决方案:
厂商补丁
ECSHOP
----------
目前厂商还没有提供补丁或者升级程序

回答:
关注一下。

收藏一下啊

安全问题很重要