这个补丁 出来了么。 我的 天儿 进
2016-07-07 15:02 来源:www.chinab4c.com 作者:ecshop专家
漏洞概要缺陷编号: ~~~~~~~~~ 漏洞标题: ecshop SQL注射漏洞 相关厂商: ecshop 漏洞作者: xsser 提交时间: 2010-08-21 公开时间: 2010-08-21 漏洞类型: SQL注射 危害等级: 高 漏洞状态: 未联系到厂商或者厂商积极忽略 漏洞来源: ~~~~~~~~~~~ -------------------------------------------------------------------------------- 漏洞详情简要描述:在Ecshop中缺乏对参数的有效过滤,导致一个SQL注射漏洞,成功利用该漏洞的攻击者可以获得数据库及站点的完全权限。 详细说明:在include_libcommon.php中存在如下函数 function get_package_info($id) { global $ecs, $db,$_CFG; $now = gmtime(); $sql = "SELECT act_id AS id,act_name AS package_name, goods_id , goods_name, start_time, end_time, act_desc, ext_info". " FROM " . $GLOBALS['ecs']->table('goods_activity') . " WHERE act_id='$id' AND act_type = " . GAT_PACKAGE; $package = $db->GetRow($sql); /* 将时间转成可阅读格式 */ if ($package['start_time'] <= $now && $package['end_time'] >= $now) { $package['is_on_sale'] = "1"; } else { $package['is_on_sale'] = "0"; } $package['start_time'] = local_date('Y-m-d H:i', $package['start_time']); $package['end_time']= local_date('Y-m-d H:i', $package['end_time']); $row = unserialize($package['ext_info']); unset($package['ext_info']); if ($row) { foreach ($row as $key=>$val) { $package[$key] = $val; } } $sql = "SELECT pg.package_id, pg.goods_id, pg.goods_number, pg.admin_id, ". " g.goods_sn, g.goods_name, g.market_price, g.goods_thumb, g.is_real, ". " IFNULL(mp.user_price, g.shop_price * '$_SESSION[discount]') AS rank_price " . " FROM " . $GLOBALS['ecs']->table('package_goods') . " AS pg ". "LEFT JOIN ". $GLOBALS['ecs']->table('goods') . " AS g ". "ON g.goods_id = pg.goods_id ". " LEFT JOIN " . $GLOBALS['ecs']->table('member_price') . " AS mp ". "ON mp.goods_id = g.goods_id AND mp.user_rank = '$_SESSION[user_rank]' ". " WHERE pg.package_id = " . $id. " ". " ORDER BY pg.package_id, pg.goods_id"; $goods_res = $GLOBALS['db']->getAll($sql); $market_price= 0; 其中$id没有经过严格过滤就直接进入了SQL查询,导致一个SQL注射漏洞。 漏洞证明:在系统的lib_order.php中存在一个该函数的调用 function add_package_to_cart($package_id, $num = 1) { $GLOBALS['err']->clean(); /* 取得礼包信息 */ $package = get_package_info($package_id); if (empty($package)) { $GLOBALS['err']->add($GLOBALS['_LANG']['goods_not_exists'], ERR_NOT_EXISTS); return false; } 在flow.php中存在可控的输入源 $package = $json->decode($_POST['package_info']); /* 如果是一步购物,先清空购物车 */ if ($_CFG['one_step_buy'] == '1') { clear_cart(); } /* 商品数量是否合法 */ if (!is_numeric($package->number) || intval($package->number) <= 0) { $result['error']= 1; $result['message'] = $_LANG['invalid_number']; } else { /* 添加到购物车 */ if (add_package_to_cart($package->package_id, $package->number)) { if ($_CFG['cart_confirm'] > 2) $package->package_id来源于输入 |
最近更新
常用插件
- ecshop分类批量扩展插件
ecshop分类批量扩展插件,这个插件是ecshop插件里面比较核心的插件。我们...
- ecshop2.7.1打印发货单插件
ecshop2.7.1打印发货单插件介绍:ecshop2.7.1和以前的ecshop版本不一样,ecs...
- ecshop二次商品订购人信息
ecshop二次商品订购人信息填写插件,有时候给朋友送花,或者是送礼品的...
- ecshop商品分类名称增加样
ecshop插件介绍:本插件可以方便在后台管理,为ecshop商品分类名称增加样...
- ecshop二次开发详细页面生
插件介绍: ECSHOP系统,在很多时候,很多商品没有人购买,不但购买的人...
ecshop热门问答
ecshop热门资料
ecshop批量处理
ecshop新闻中心
ecshop页面
ecshop弱智
ecshop网站帮助
ecshop给定
ecshop后台不能上传图片
ecshop时尚女装
ecshop高度
ecshopMvMl
B4C内容SEO
ecshopclause
ecshopOut
ecshop审核代理
ecshopmarquee
ecshop出色网购
ecmall邮件
ecshop评论功能
ecshop支付宝登录
ecshop机房
ecshoprank
ecshop1994
ecshop仿fab
ecshop橙色系列
ecshop我的朋友
ecshopsuccessful
ecshop打开
ecshop小小的
ecshop套用
ecshop贵宾