漏洞详情

披露状态:

2014-01-05: 细节已通知厂商并且等待厂商处理中
2014-01-06: 厂商已经确认,细节仅向厂商公开
2014-01-09: 细节向第三方安全合作伙伴开放
2014-01-16: 细节向核心白帽子及相关领域专家公开
2014-01-26: 细节向普通白帽子公开
2014-02-15: 细节向实习白帽子公开
2014-04-05: 细节向公众公开

简要描述:

SQL注射

详细说明:

http://www.tuutao.com/index.php 土淘网

用的Ecmall的建站模板,用过这个模板的应该都通杀了吧

s1.jpg



存在搜索框注入,注入点为:

http://www.tuutao.com/index.php?app=store&act=search&id=45&keyword=aaa&min_price=100&max_price=10000



首先将获取get传来的参数,然后组合到一个sql查询语句condition中:

1.search.app.php中的这段代码就是构建查询min和max价格的sql代码,没有过滤:

/**
* 取得查询条件语句
*
* @param array $param 查询参数(参加函数_get_query_param的返回值说明)
* @return string where语句
*/
function _get_goods_conditions($param)
{
/* 组成查询条件 */
$conditions = " g.if_show = 1 AND g.closed = 0 AND s.state = 1"; // 上架且没有被禁售,店铺是开启状态,
if (isset($param['keyword']))
{
$conditions .= $this->_get_conditions_by_keyword($param['keyword'], ENABLE_SEARCH_CACHE);
}
if (isset($param['cate_id']))
{
$conditions .= " AND g.cate_id_{$param['layer']} = '" . $param['cate_id'] . "'";
}
if (isset($param['brand']))
{
$conditions .= " AND g.brand = '" . $param['brand'] . "'";
}
if (isset($param['region_id']))
{
$conditions .= " AND s.region_id = '" . $param['region_id'] . "'";
}
if (isset($param['price']))
{
$min = $param['price']['min'];
$max = $param['price']['max'];
$min > 0 && $conditions .= " AND g.price >= '$min'";
$max > 0 && $conditions .= " AND g.price <= '$max'";
}

return $conditions;
}



2.下面这部分代码是query执行部分,直接将上面的参数带入查询了:

/* 按价格统计 */
if ($total_count > NUM_PER_PAGE)
{
$sql = "SELECT MIN(g.price) AS min, MAX(g.price) AS max FROM {$table} WHERE" . $conditions;
$row = $goods_mod->getRow($sql);
$min = $row['min'];
$max = min($row['max'], MAX_STAT_PRICE);
$step = max(ceil(($max - $min) / PRICE_INTERVAL_NUM), MIN_STAT_STEP);
$sql = "SELECT FLOOR((g.price - '$min') / '$step') AS i, count(*) AS count FROM {$table} WHERE " . $conditions . " GROUP BY i ORDER BY i";
$res = $goods_mod->db->query($sql);
while ($row = $goods_mod->db->fetchRow($res))
{
$data['by_price'][] = array(
'count' => $row['count'],
'min' => $min + $row['i'] * $step,
'max' => $min + ($row['i'] + 1) * $step,
);
}
}
}



3.这个页面上很多参数都没过滤,排查下吧

漏洞证明:

数据库:

available databases [2]:
[*] information_schema
[*] tuutao



账户:

current user:    'tuutao_u@localhost'



数据库tuutao包含的表:

Database: tuutao
[84 tables]
+------------------------+
| _ecm_third_login |
| chat_customgroup |
| chat_pals |
| chat_session |
| chat_transfer_fileinfo |
| chat_users |
| ecm_acategory |
| ecm_address |
| ecm_ads_left |
| ecm_article |
| ecm_ative |
| ecm_attribute |
| ecm_brand |
| ecm_cart |
| ecm_category_goods |
| ecm_category_store |
| ecm_collect |
| ecm_coupon |
| ecm_coupon_sn |
| ecm_friend |
| ecm_function |
| ecm_game |
| ecm_gcategory |
| ecm_get_prize |
| ecm_goods |
| ecm_goods_attr |
| ecm_goods_image |
| ecm_goods_integral |
| ecm_goods_qa |
| ecm_goods_spec |
| ecm_goods_statistics |
| ecm_goods_tpl |
| ecm_goods_tuijian |
| ecm_groupbuy |
| ecm_groupbuy_log |
| ecm_handsel |
| ecm_hdlog |
| ecm_integral |
| ecm_logistics |
| ecm_logistics_conf |
| ecm_logsingle |
| ecm_mail_queue |
| ecm_member |
| ecm_member_ofields |
| ecm_message |
| ecm_module |
| ecm_money_logs |
| ecm_navigation |
| ecm_order |
| ecm_order_extm |
| ecm_order_goods |
| ecm_order_integral |
| ecm_order_log |
| ecm_pageview |
| ecm_partner |
| ecm_payment |
| ecm_privilege |
| ecm_prize |
| ecm_promotion |
| ecm_promotion_local |
| ecm_promotion_log |
| ecm_recommend |
| ecm_recommended_goods |
| ecm_refer |
| ecm_region |
| ecm_scategory |
| ecm_seckill |
| ecm_seckill_subject |
| ecm_sessions |
| ecm_sessions_data |
| ecm_sgrade |
| ecm_ship |
| ecm_shipping |
| ecm_specialpage |
| ecm_specialpage_goods |
| ecm_specify |
| ecm_store |
| ecm_template |
| ecm_third_login |
| ecm_timedisc |
| ecm_uploaded_file |
| ecm_user_coupon |
| ecm_user_priv |
| ecm_user_prize |
+------------------------+

修复方案:

各种过滤

版权声明:转载请注明来源 HackBraid@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:10

确认时间:2014-01-06 15:22

厂商回复:

非常感谢您为shopex信息安全做的贡献
我们将尽快修复
非常感谢

最新状态:

暂无


漏洞评价: