ecshop /api/client/api.php、/api/client/includes/lib_api.php SQL Injection Vul

Andrew.Hann發表於2015-05-23
APIclientPHPSQL

catalog

1. 漏洞描述
2. 漏洞觸發條件
3. 漏洞影響範圍
4. 漏洞程式碼分析
5. 防禦方法
6. 攻防思考

 

1. 漏洞描述

ECShop存在一個盲注漏洞,問題存在於/api/client/api.php檔案中,提交特製的惡意POST請求可進行SQL隱碼攻擊,可獲得敏感資訊或運算元據庫

http://sebug.net/vuldb/ssvid-21007


2. 漏洞觸發條件

1. /api/client/api.php存在未過濾漏洞
2. 伺服器magic_quote_gpc = off 
//magic_quote_gpc特性已自 PHP 5.3.0 起廢棄並將自 PHP 5.4.0 起移除,即預設情況下,magic_quote_gpc = Off

0x1: POC

http://localhost/ecshop2.7.2/api/client/api.php?Action=UserLogin
POST: UserId=%27%20or%20user_id=1%23

Relevant Link:

http://php.net/manual/zh/info.configuration.php


3. 漏洞影響範圍
4. 漏洞程式碼分析

/api/client/api.php

<?php

define('IN_ECS', true);

include_once './includes/init.php';

//分發處理POST資料
dispatch($_POST);
?>

/api/client/includes/lib_api.php

function dispatch($post)
{
    // 分發器陣列
    $func_arr = array('GetDomain', 'UserLogin', 'AddCategory', 'AddBrand', 'AddGoods', 'GetCategory', 'GetBrand', 'GetGoods', 'DeleteBrand', 'DeleteCategory', 'DeleteGoods', 'EditBrand', 'EditCategory', 'EditGoods');
    //當$_POST['Action'] == 'UserLogin'的時候呼叫API_UserLogin
    if(in_array($post['Action'], $func_arr) && function_exists('API_'.$post['Action']))
    {
        return call_user_func('API_'.$post['Action'], $post);
    }
    else
    {
        API_Error();
    }
}

/api/client/includes/lib_api.php

function API_UserLogin($post)
{
    $post['username'] = isset($post['UserId']) ? trim($post['UserId']) : '';
    $post['password'] = isset($post['Password']) ? strtolower(trim($post['Password'])) : '';

    /* 檢查密碼是否正確 */
    //$post['username']未進行過濾,造成盲注漏洞,引數是直接從原始$_POST獲取的,未進行任何預處理,不受核心過濾影響
    $sql = "SELECT user_id, user_name, password, action_list, last_login".
    " FROM " . $GLOBALS['ecs']->table('admin_user') .
    " WHERE user_name = '" . $post['username']. "'";

    $row = $GLOBALS['db']->getRow($sql);
    ..

Relevant Link:

http://www.wooyun.org/bugs/wooyun-2010-02969


5. 防禦方法

/api/client/includes/lib_api.php

function API_UserLogin($post)
{
    /* SQL隱碼攻擊過濾 */
    if (get_magic_quotes_gpc()) 
    {     
        $post['UserId'] = $post['UserId']     
    } 
    else 
    {     
        $post['UserId'] = addslashes($post['UserId']);     
    }
    /* */
    $post['username'] = isset($post['UserId']) ? trim($post['UserId']) : '';
    ..

Relevant Link:

http://www.topit.cn/ecshop-tutorial/ecshop_mangzhu_bug_for_ecshop_v2.7.2-195.html


6. 攻防思考

Copyright (c) 2015 LittleHann All rights reserved

 

相關文章