关于这个漏洞是ECSHOP2.7.3版本修复了。ecshop最新版本3.0也会犯这种低级的错误。
elseif ($_REQUEST['step'] == 'repurchase') {
include_once('includes/cls_json.php');
$order_id = intval($_POST['order_id']);
$order_id = json_str_iconv($order_id);
$user_id = $_SESSION['user_id'];
$json = new JSON;
$order = $db->getOne('SELECT count(*) FROM ' . $ecs->table('order_info') . ' WHERE order_id = ' . $order_id . ' and user_id = ' . $user_id);
if (!$order) {
$result = array('error' => 1, 'message' => $_LANG['repurchase_fail']);
die($json->encode($result));
}
这里面的的参数并非是新版的$order_id = intval($_POST['order_id']); 最新正确漏洞过滤应该是这样 $order_id = strip_tags($_POST['order_id']);
继续查看json_str_iconv函数核实
function json_str_iconv($str)
{
if (EC_CHARSET != 'utf-8')
{
if (is_string($str))
{
return addslashes(stripslashes(ecs_iconv('utf-8', EC_CHARSET, $str)));
}
elseif (is_array($str))
{
foreach ($str as $key => $value)
{
$str[$key] = json_str_iconv($value);
}
return $str;
}
elseif (is_object($str))
{
foreach ($str as $key => $value)
{
$str->$key = json_str_iconv($value);
}
return $str;
}
else
{
return $str;
}
}
return $str;
}
这里显然也没做过滤,再看看上面的SQL语句,居然没有单引号包含,这样就能直接注射了