ecshop /goods.php SQL Injection Vul

catalogue

1. 漏洞描述
2. 漏洞触发条件
3. 漏洞影响范围
4. 漏洞代码分析
5. 防御方法
6. 攻防思考

1. 漏洞描述
2. 漏洞触发条件

0x1: poc

http://localhost/ecshop2.7.3/goods.php?act=getGoodsInfo&id=2035

3. 漏洞影响范围
4. 漏洞代码分析

/goods.php

/* 修改 start by zhouH*/
if (!empty($_REQUEST['act']) && $_REQUEST['act'] == 'getGoodsInfo')
{
    include('includes/cls_json.php');

    $json   = new JSON;
    $res    = array('err_msg' => '', 'result' => '', 'goods_img' => '');

    //直接接收外部参数，未进行有效过滤
    $goods_id  = $_REQUEST['id'];
    
    if(!empty($goods_id))
    {
         /* 获得商品的信息 */
        //将外部参数带入SQL查询
            $goods = get_goods_info($goods_id);
        
        res['result'] = $goods;
        ..

$goods = get_goods_info($goods_id);

5. 防御方法

/goods.php

/* 修改 start by zhouH*/
if (!empty($_REQUEST['act']) && $_REQUEST['act'] == 'getGoodsInfo')
{
    include('includes/cls_json.php');

    $json   = new JSON;
    $res    = array('err_msg' => '', 'result' => '', 'goods_img' => '');

    /**/
    $goods_id  = intval($_REQUEST['id']);
    /**/
    
    if(!empty($goods_id))
    {

6. 攻防思考

Copyright (c) 2016 Little5ann All rights reserved