Braid信息安全博客 - Web安全|代码审计|安全开发|Java|php|python

【PHP代码审计】 Ecshop V3.0.0 flow.php SQL注射漏洞

0x01 背景

Ecshop在flow.php文件上出现过很多次的注入漏洞,没想到在3.0.0版本再次出现这个问题,真是遗憾啊~

0x02 漏洞分析

缺陷文件flow.php:

<?php
elseif ($_REQUEST['step'] == 'repurchase') {
include_once('includes/cls_json.php');
$order_id = strip_tags($_POST['order_id']);
$order_id = json_str_iconv($order_id);
$user_id = $_SESSION['user_id'];
$json = new JSON;
$order = $db->getOne('SELECT count(*) FROM ' . $ecs->table('order_info') . ' WHERE order_id = ' . $order_id . ' and user_id = ' . $user_id);
if (!$order) {
$result = array('error' => 1, 'message' => $_LANG['repurchase_fail']);
die($json->encode($result));
}

$db->query('DELETE FROM ' .$ecs->table('cart') . " WHERE rec_type = " . CART_REPURCHASE);
$order_goods = $db->getAll("SELECT goods_id, goods_number, goods_attr_id, parent_id FROM " . $ecs->table('order_goods') . " WHERE order_id = " . $order_id);
$result = array('error' => 0, 'message' => '');
foreach ($order_goods as $goods) {
$spec = empty($goods['goods_attr_id']) ? array() : explode(',', $goods['goods_attr_id']);
if (!addto_cart($goods['goods_id'], $goods['goods_number'], $spec, $goods['parent_id'], CART_REPURCHASE)) {
$result = false;
$result = array('error' => 1, 'message' => $_LANG['repurchase_fail']);
}
}
die($json->encode($result));
}

$order_id参数存在注入漏洞,首先strip_tags函数是去除html标签,我们跟进json_str_iconv函数,

<?php
/**
* 将JSON传递的参数转码
*
* @param string $str
* @return string
*/

function json_str_iconv($str)
{

if (EC_CHARSET != 'utf-8')
{
if (is_string($str))
{
return addslashes(stripslashes(ecs_iconv('utf-8', EC_CHARSET, $str)));
}
elseif (is_array($str))
{
foreach ($str as $key => $value)
{
$str[$key] = json_str_iconv($value);
}
return $str;
}
elseif (is_object($str))
{
foreach ($str as $key => $value)
{
$str->$key = json_str_iconv($value);
}
return $str;
}
else
{
return $str;
}
}
return $str;
}

我们看到这句return addslashes(stripslashes(ecs_iconv(‘utf-8’, EC_CHARSET, $str)))是对传入的order_id做了addslashes转义操作,但是flow.php中$order_id在被带入数据库查询时没有单引号保护从而造成注入漏洞。

$order = $db->getOne(‘SELECT count(*) FROM ‘ . $ecs->table(‘order_info’) . ‘ WHERE order_id = ‘ . $order_id . ‘ and user_id = ‘ . $user_id);//无单引号保护

0x03 漏洞证明

利用xpath注入语句构造获取当前数据库用户的POC,结果如下:

0x04 漏洞修复

目前Ecshop已修补该注入漏洞,修复方法是对$order_id进行整形转换处理,如下:

$order_id = intval($_POST['order_id']);

本文由HackBraid整理总结,原文链接:http://www.cnbraid.com/categories/WEB安全/ecshop3.html,如需转载请联系作者。