ecshop category.php?id=4,ecshop /category.php过滤不严导致SQL注入漏洞的修补方案

最新推荐文章于 2023-11-27 18:25:42 发布

greatwallisme

最新推荐文章于 2023-11-27 18:25:42 发布

阅读量308

点赞数

文章标签： ecshop category.php?id=4

1. 漏洞描述

ecshop分类category.php过滤不严导致SQL注入漏洞

2. 漏洞触发条件

http://localhost/ecshop2.7.2/category.php?page=1&sort=goods_id&order=ASC%23goods_list&category=1&display=grid&brand=0&price_min=0&price_max=0&filter_attr=-999%20OR%20length(session_user())=14%20or%201=2

3. 漏洞代码分析

/category.php..

$filter_attr_str = isset($_REQUEST['filter_attr']) ? trim($_REQUEST['filter_attr']) : '0';

//变量 $filter_attr_str 是以“.” 分开的数组

$filter_attr = empty($filter_attr_str) ? '' : explode('.', trim($filter_attr_str));

/* 扩展商品查询条件 */

if (!empty($filter_attr))

{

$ext_sql = "SELECT DISTINCT(b.goods_id) FROM " . $ecs->table('goods_attr') . " AS a, " . $ecs->table('goods_attr') . " AS b " . "WHERE ";

$ext_group_goods = array();

foreach ($filter_attr AS $k => $v)// 查出符合所有筛选属性条件的商品id */

{

if ($v != 0)

{

//$v 没有作任何处理就加入了SQL查询，造成SQL注入

$sql = $ext_sql . "b.attr_value = a.attr_value AND b.attr_id = " . $cat_filter_attr[$k] ." AND a.goods_attr_id = " . $v;

4.防御方法

/category.php..

/*对用户输入的$_REQUEST['filter_attr']进行转义 */

$filter_attr_str = isset($_REQUEST['filter_attr']) ? htmlspecialchars(trim($_REQUEST['filter_attr'])) : '0';

/* */

$filter_attr_str = trim(urldecode($filter_attr_str));

/* 敏感关键字过滤 */

$filter_attr_str = preg_match('/^[\d\.]+$/',$filter_attr_str) ? $filter_attr_str : '';

/**/

$filter_attr = empty($filter_attr_str) ? '' : explode('.', $filter_attr_str);

foreach ($filter_attr AS $k => $v) // 查出符合所有筛选属性条件的商品id */

{

/* is_numeric($v) */

if (is_numeric($v) && $v !=0 )

{

另外，将未作过滤直接加入sql的$v做过滤//将未作过滤直接加入sql的$v做过滤

$sql = $ext_sql . "b.attr_value = a.attr_value AND b.attr_id = " . $cat_filter_attr[$k] ." AND a.goods_attr_id = " . htmlspecialchars(trim($v));

补丁下载：

ecshop的category注入漏洞补丁

ecshop支付宝接口注入漏洞补丁

ecshop的lib_api注入漏洞补丁

ecshop的edit_languages代码注入漏洞补丁

greatwallisme

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
ecshop category.php?id=4,ecshop /category.php过滤不严导致SQL注入漏洞的修补方案

1. 漏洞描述ecshop分类category.php过滤不严导致SQL注入漏洞2. 漏洞触发条件http://localhost/ecshop2.7.2/category.php?page=1&sort=goods_id&order=ASC%23goods_list&category=1&display=grid&brand=0&price_min...
复制链接

扫一扫

ecshop category.php?id=4,ecshop /category.php过滤不严导致SQL注入漏洞的修补方案

“相关推荐”对你有帮助么？