1. 漏洞描述
ECShop存在一个盲注漏洞,问题存在于/api/client/api.php文件中,提交特制的恶意POST请求可进行SQL注入攻击,可获得敏感信息或操作数据库
2. 漏洞触发条件1. /api/client/api.php存在未过滤漏洞
2. 服务器magic_quote_gpc = off
//magic_quote_gpc特性已自 PHP 5.3.0 起废弃并将自 PHP 5.4.0 起移除,即默认情况下,magic_quote_gpc = Off
4. 漏洞代码分析
/api/client/api.php<?php
define('IN_ECS', true);
include_once './includes/init.php';
//分发处理POST数据
dispatch($_POST);
?>
/api/client/includes/lib_api.phpfunction dispatch($post)
{
// 分发器数组
$func_arr = array('GetDomain', 'UserLogin', 'AddCategory', 'AddBrand', 'AddGoods', 'GetCategory', 'GetBrand', 'GetGoods', 'DeleteBrand', 'DeleteCategory', 'DeleteGoods', 'EditBrand', 'EditCategory', 'EditGoods');
//当$_POST['Action'] == 'UserLogin'的时候调用API_UserLogin
if(in_array($post['Action'], $func_arr) && function_exists('API_'.$post['Action']))
{
return call_user_func('API_'.$post['Action'], $post);
}
else
{
API_Error();
}
}
/api/client/includes/lib_api.phpfunction API_UserLogin($post)
{
$post['username'] = isset($post['UserId']) ? trim($post['UserId']) : '';
$post['password'] = isset($post['Password']) ? strtolower(trim($post['Password'])) : '';
/* 检查密码是否正确 */
//$post['username']未进行过滤,造成盲注漏洞,参数是直接从原始$_POST获取的,未进行任何预处理,不受内核过滤影响
$sql = "SELECT user_id, user_name, password, action_list, last_login".
" FROM " . $GLOBALS['ecs']->table('admin_user') .
" WHERE user_name = '" . $post['username']. "'";
$row = $GLOBALS['db']->getRow($sql);
..
5. 防御方法
/api/client/includes/lib_api.phpfunction API_UserLogin($post)
{
/* SQL注入过滤 */
if (get_magic_quotes_gpc())
{
$post['UserId'] = $post['UserId']
}
else
{
$post['UserId'] = addslashes($post['UserId']);
}
/* */
$post['username'] = isset($post['UserId']) ? trim($post['UserId']) : '';
..
补丁下载:
ecshop的category注入漏洞补丁
ecshop支付宝接口注入漏洞补丁
ecshop的lib_api注入漏洞补丁
ecshop的edit_languages代码注入漏洞补丁