ecshop include_libcommon.php SQL注射漏洞

在Ecshop中缺乏对参数的有效过滤，导致一个SQL注射漏洞，成功利用该漏洞的攻击者可以获得数据库及站点的完全权限 在include_libcommon.php中存在如下函数 function get_package_info($id) { global $ecs, $db,$_CFG; $now = gmtime(); $sql = "SELECT act_id AS id, act_name AS package_name, goods_id , goods_name, start_time, end_time, act_desc, ext_info". " FROM " . $GLOBALS['ecs']->table('goods_activity') . " WHERE act_id='$id' AND act_type = " . GAT_PACKAGE; $package = $db->GetRow($sql); /* 将时间转成可阅读格式 */ if ($package['start_time'] <= $now && $package['end_time'] >= $now) { $package['is_on_sale'] = "1"; } else { $package['is_on_sale'] = "0"; } $package['start_time'] = local_date('Y-m-d H:i', $package['start_time']); $package['end_time'] = local_date('Y-m-d H:i', $package['end_time']); $row = unserialize($package['ext_info']); unset($package['ext_info']); if ($row) { foreach ($row as $key=>$val) { $package[$key] = $val; } } $sql = "SELECT pg.package_id, pg.goods_id, pg.goods_number, pg.admin_id, ". " g.goods_sn, g.goods_name, g.market_price, g.goods_thumb, g.is_real, ". " IFNULL(mp.user_price, g.shop_price * '$_SESSION[discount]') AS rank_price " . " FROM " . $GLOBALS['ecs']->table('package_goods') . " AS pg ". " LEFT JOIN ". $GLOBALS['ecs']->table('goods') . " AS g ". " ON g.goods_id = pg.goods_id ". " LEFT JOIN " . $GLOBALS['ecs']->table('member_price') . " AS mp ". "ON mp.goods_id = g.goods_id AND mp.user_rank = '$_SESSION[user_rank]' ". " WHERE pg.package_id = " . $id. " ". " ORDER BY pg.package_id, pg.goods_id"; $goods_res = $GLOBALS['db']->getAll($sql); $market_price = 0; 其中$id没有经过严格过滤就直接进入了SQL查询，导致一个SQL注射漏洞。 ECSHOP All Version 厂商补丁 ECSHOP ---------- 目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本： http://www.ecshop.com