当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-047944

漏洞标题:Ecmall某建站模板搜索框SQL注射

相关厂商:ShopEx

漏洞作者: HackBraid

提交时间:2014-01-05 16:35

修复时间:2014-04-05 16:36

公开时间:2014-04-05 16:36

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:12

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2014-01-05: 细节已通知厂商并且等待厂商处理中
2014-01-06: 厂商已经确认,细节仅向厂商公开
2014-01-09: 细节向第三方安全合作伙伴开放
2014-03-02: 细节向核心白帽子及相关领域专家公开
2014-03-12: 细节向普通白帽子公开
2014-03-22: 细节向实习白帽子公开
2014-04-05: 细节向公众公开

简要描述:

SQL注射

详细说明:

http://www.tuutao.com/index.php 土淘网
用的Ecmall的建站模板,用过这个模板的应该都通杀了吧

s1.jpg


存在搜索框注入,注入点为:
http://www.tuutao.com/index.php?app=store&act=search&id=45&keyword=aaa&min_price=100&max_price=10000
首先将获取get传来的参数,然后组合到一个sql查询语句condition中:
1.search.app.php中的这段代码就是构建查询min和max价格的sql代码,没有过滤:

/**
     * 取得查询条件语句
     *
     * @param   array   $param  查询参数(参加函数_get_query_param的返回值说明)
     * @return  string  where语句
     */
    function _get_goods_conditions($param)
    {
        /* 组成查询条件 */
        $conditions = " g.if_show = 1 AND g.closed = 0 AND s.state = 1"; // 上架且没有被禁售,店铺是开启状态,
        if (isset($param['keyword']))
        {
            $conditions .= $this->_get_conditions_by_keyword($param['keyword'], ENABLE_SEARCH_CACHE);
        }
        if (isset($param['cate_id']))
        {
            $conditions .= " AND g.cate_id_{$param['layer']} = '" . $param['cate_id'] . "'";
        }
        if (isset($param['brand']))
        {
            $conditions .= " AND g.brand = '" . $param['brand'] . "'";
        }
        if (isset($param['region_id']))
        {
            $conditions .= " AND s.region_id = '" . $param['region_id'] . "'";
        }
        if (isset($param['price']))
        {
            $min = $param['price']['min'];
            $max = $param['price']['max'];
            $min > 0 && $conditions .= " AND g.price >= '$min'";
            $max > 0 && $conditions .= " AND g.price <= '$max'";
        }
        return $conditions;
    }


2.下面这部分代码是query执行部分,直接将上面的参数带入查询了:

/* 按价格统计 */
                if ($total_count > NUM_PER_PAGE)
                {
                    $sql = "SELECT MIN(g.price) AS min, MAX(g.price) AS max FROM {$table} WHERE" . $conditions;
                    $row = $goods_mod->getRow($sql);
                    $min = $row['min'];
                    $max = min($row['max'], MAX_STAT_PRICE);
                    $step = max(ceil(($max - $min) / PRICE_INTERVAL_NUM), MIN_STAT_STEP);
                    $sql = "SELECT FLOOR((g.price - '$min') / '$step') AS i, count(*) AS count FROM {$table} WHERE " . $conditions . " GROUP BY i ORDER BY i";
                    $res = $goods_mod->db->query($sql);
                    while ($row = $goods_mod->db->fetchRow($res))
                    {
                        $data['by_price'][] = array(
                            'count' => $row['count'],
                            'min'   => $min + $row['i'] * $step,
                            'max'   => $min + ($row['i'] + 1) * $step,
                        );
                    }
                }
            }


3.这个页面上很多参数都没过滤,排查下吧

漏洞证明:

数据库:

available databases [2]:
[*] information_schema
[*] tuutao


账户:

current user:    'tuutao_u@localhost'


数据库tuutao包含的表:

Database: tuutao
[84 tables]
+------------------------+
| _ecm_third_login       |
| chat_customgroup       |
| chat_pals              |
| chat_session           |
| chat_transfer_fileinfo |
| chat_users             |
| ecm_acategory          |
| ecm_address            |
| ecm_ads_left           |
| ecm_article            |
| ecm_ative              |
| ecm_attribute          |
| ecm_brand              |
| ecm_cart               |
| ecm_category_goods     |
| ecm_category_store     |
| ecm_collect            |
| ecm_coupon             |
| ecm_coupon_sn          |
| ecm_friend             |
| ecm_function           |
| ecm_game               |
| ecm_gcategory          |
| ecm_get_prize          |
| ecm_goods              |
| ecm_goods_attr         |
| ecm_goods_image        |
| ecm_goods_integral     |
| ecm_goods_qa           |
| ecm_goods_spec         |
| ecm_goods_statistics   |
| ecm_goods_tpl          |
| ecm_goods_tuijian      |
| ecm_groupbuy           |
| ecm_groupbuy_log       |
| ecm_handsel            |
| ecm_hdlog              |
| ecm_integral           |
| ecm_logistics          |
| ecm_logistics_conf     |
| ecm_logsingle          |
| ecm_mail_queue         |
| ecm_member             |
| ecm_member_ofields     |
| ecm_message            |
| ecm_module             |
| ecm_money_logs         |
| ecm_navigation         |
| ecm_order              |
| ecm_order_extm         |
| ecm_order_goods        |
| ecm_order_integral     |
| ecm_order_log          |
| ecm_pageview           |
| ecm_partner            |
| ecm_payment            |
| ecm_privilege          |
| ecm_prize              |
| ecm_promotion          |
| ecm_promotion_local    |
| ecm_promotion_log      |
| ecm_recommend          |
| ecm_recommended_goods  |
| ecm_refer              |
| ecm_region             |
| ecm_scategory          |
| ecm_seckill            |
| ecm_seckill_subject    |
| ecm_sessions           |
| ecm_sessions_data      |
| ecm_sgrade             |
| ecm_ship               |
| ecm_shipping           |
| ecm_specialpage        |
| ecm_specialpage_goods  |
| ecm_specify            |
| ecm_store              |
| ecm_template           |
| ecm_third_login        |
| ecm_timedisc           |
| ecm_uploaded_file      |
| ecm_user_coupon        |
| ecm_user_priv          |
| ecm_user_prize         |
+------------------------+

修复方案:

各种过滤

版权声明:转载请注明来源 HackBraid@乌云

漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2014-01-06 15:22

厂商回复:

非常感谢您为shopex信息安全做的贡献
我们将尽快修复
非常感谢

最新状态:

暂无

漏洞评价:

评论

  1. 2014-01-05 16:37 | 剑无名 ( 普通白帽子 | Rank:146 漏洞数:32 | 此剑无名。)

    通用!

  2. 2014-01-05 16:38 | HackBraid 认证白帽子 ( 核心白帽子 | Rank:1545 漏洞数:260 | ...........................................)

    @剑无名 感谢

  3. 2014-01-05 16:50 | zcy ( 实习白帽子 | Rank:93 漏洞数:15 )

    为毛我的没通过

  4. 2014-01-06 14:44 | HackBraid 认证白帽子 ( 核心白帽子 | Rank:1545 漏洞数:260 | ...........................................)

    @ShopEx 忽略的节奏...语句的参数有几个是没过滤直接带入查询了,看了源码写的很清晰

  5. 2014-01-06 16:50 | pandas ( 普通白帽子 | Rank:585 漏洞数:58 | 国家一级保护动物)

    顶下

  6. 2014-06-23 10:38 | lucifer_0 ( 路人 | Rank:5 漏洞数:1 | lucifer_0)

    楼主一定是在逗我玩,index.php?app=store&act=search,不应该是在store.app.php中的search方法,怎么跑到search.app.php去了

  7. 2014-06-23 10:42 | HackBraid 认证白帽子 ( 核心白帽子 | Rank:1545 漏洞数:260 | ...........................................)

    @lucifer_0 亲,看后边的吧,这个当时直接找的案例,本地草草的看了下代码,那会儿初次接触也不太懂,望多多包含。