失眠网 > ecshop /api/client/api.php /api/client/includes/lib_api.php SQL Injection Vul

ecshop /api/client/api.php /api/client/includes/lib_api.php SQL Injection Vul

时间：2020-03-26 14:11:51

catalog

1. 漏洞描述2. 漏洞触发条件3. 漏洞影响范围4. 漏洞代码分析5. 防御方法6. 攻防思考

1. 漏洞描述

ECShop存在一个盲注漏洞，问题存在于/api/client/api.php文件中，提交特制的恶意POST请求可进行SQL注入攻击，可获得敏感信息或操作数据库

/vuldb/ssvid-21007

2. 漏洞触发条件

1. /api/client/api.php存在未过滤漏洞2. 服务器magic_quote_gpc = off //magic_quote_gpc特性已自 PHP 5.3.0 起废弃并将自 PHP 5.4.0 起移除，即默认情况下，magic_quote_gpc = Off

0x1: POC

http://localhost/ecshop2.7.2/api/client/api.php?Action=UserLoginPOST: UserId=%27%20or%20user_id=1%23

Relevant Link:

/manual/zh/info.configuration.php

3. 漏洞影响范围

4. 漏洞代码分析

/api/client/api.php

<?phpdefine('IN_ECS', true);include_once './includes/init.php';//分发处理POST数据dispatch($_POST);?>

/api/client/includes/lib_api.php

/api/client/includes/lib_api.php

function API_UserLogin($post){$post['username'] = isset($post['UserId']) ? trim($post['UserId']) : '';$post['password'] = isset($post['Password']) ? strtolower(trim($post['Password'])) : '';/* 检查密码是否正确 *///$post['username']未进行过滤，造成盲注漏洞，参数是直接从原始$_POST获取的，未进行任何预处理，不受内核过滤影响$sql = "SELECT user_id, user_name, password, action_list, last_login"." FROM " . $GLOBALS['ecs']->table('admin_user') ." WHERE user_name = '" . $post['username']. "'";$row = $GLOBALS['db']->getRow($sql);..

Relevant Link:

/bugs/wooyun--02969

5. 防御方法

/api/client/includes/lib_api.php

function API_UserLogin($post){/* SQL注入过滤 */if (get_magic_quotes_gpc()) {$post['UserId'] = $post['UserId']} else {$post['UserId'] = addslashes($post['UserId']);}/* */$post['username'] = isset($post['UserId']) ? trim($post['UserId']) : '';..

Relevant Link:

/ecshop-tutorial/ecshop_mangzhu_bug_for_ecshop_v2.7.2-195.html

6. 攻防思考

如果觉得《ecshop /api/client/api.php /api/client/includes/lib_api.php SQL Injection Vul》对你有帮助，请点赞、收藏，并留下你的观点哦！

本内容不代表本网观点和政治立场，如有侵犯你的权益请联系我们处理。

网友评论

网友评论仅供其表达个人看法，并不表明网站立场。