ECSHOP 后台注入漏洞

### 简要描述： ECSHOP 后台注入漏洞 刚挖的 热乎的。。之前分次提交是因为 一边挖一边提交的 ### 详细说明： ``` admin/favourable.php if ($_REQUEST['act'] == 'list') { admin_priv('favourable'); function favourable_list() {echo 22222222222222; $result = get_filter(); if ($result === false) { /* 过滤条件 */ $filter['keyword'] = empty($_REQUEST['keyword']) ? '' : trim($_REQUEST['keyword']); if (isset($_REQUEST['is_ajax']) && $_REQUEST['is_ajax'] == 1) { $filter['keyword'] = json_str_iconv($filter['keyword']); } $filter['is_going'] = empty($_REQUEST['is_going']) ? 0 : 1; $filter['sort_by'] = empty($_REQUEST['sort_by']) ? 'act_id' : trim($_REQUEST['sort_by']);//参数没过滤 $filter['sort_order'] = empty($_REQUEST['sort_order']) ? 'DESC' : trim($_REQUEST['sort_order']); $where = ""; if (!empty($filter['keyword'])) { $where .= " AND act_name LIKE '%" . mysql_like_quote($filter['keyword']) . "%'"; } if ($filter['is_going']) { $now = gmtime(); $where .= " AND start_time <= '$now' AND end_time >= '$now' "; } $sql = "SELECT COUNT(*) FROM " . $GLOBALS['ecs']->table('favourable_activity') . " WHERE 1 $where"; $filter['record_count'] = $GLOBALS['db']->getOne($sql); /* 分页大小 */ $filter = page_and_size($filter); /* 查询 */ $sql = "SELECT * ". "FROM " . $GLOBALS['ecs']->table('favourable_activity') . " WHERE 1 $where ". " ORDER BY $filter[sort_by] $filter[sort_order] ".//直接带入查询 " LIMIT ". $filter['start'] .", $filter[page_size]"; ``` ### 漏洞证明： 测试方法 127.0.0.1/ec/admin/favourable.php?act=query&sort_by='1&id=1 [<img src="https://images.seebug.org/upload/201312/19191723affef75b36ed1ea4e7cc2c83de202108.jpg" alt="_20131219180651.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201312/19191723affef75b36ed1ea4e7cc2c83de202108.jpg)