漏洞利用前提:magic_quotes_gpc = off
更多工具在: http://www.isafe.cc/
flow. php页面的goods_number变量没有过滤导致字符型型注入,本漏洞利用前提是magic_quotes_gpc=off,关键代码如下:
elseif ($_REQUEST['step'] == 'update_cart')
{
if (isset($_POST['goods_number']) && is_array($_POST['goods_number']))
{
flow_update_cart($_POST['goods_number']);
}
show_message($_LANG['update_cart_notice'], $_LANG['back_to_cart'], 'flow.php');
exit;
}
...................................
function flow_update_cart($arr)
{
/* 处理 */
foreach ($arr AS $key => $val)
{
$val = intval(make_semiangle($val));
if ($val <= 0)
{
continue;
}
//查询:
$sql = "SELECT `goods_id`, `goods_attr_id`, `product_id`, `extension_code` FROM" .$GLOBALS['ecs']->table('cart').
" WHERE rec_id='$key' AND session_id='" . SESS_ID . "'";
$goods = $GLOBALS['db']->getRow($sql);
很明显当"step=update_cart"时,goods_numberm没有过滤导致字符型注入漏洞,所以构造如下参数,即可获取管理员密码的哈希