Ecmall的SQL注入第三弹

### 简要描述： RT。 ### 详细说明： 首先注册一个会员 然后申请开店 ECmall 在添加一个商品的时候可以从csv 中导入 看看代码。 在app/my_goods.app.php中 ``` function import() { if (!IS_POST) { $this->assign('note_for_import', sprintf(LANG::get('note_for_import'), CHARSET)); /* 当前页面信息 */ $this->_curlocal(LANG::get('member_center'), 'index.php?app=member', LANG::get('my_goods'), 'index.php?app=my_goods', LANG::get('import')); $this->_curitem('my_goods'); $this->_curmenu('import'); $this->assign('page_title', Lang::get('member_center') . Lang::get('my_goods')); $this->display('common.import.html'); } else { $file = $_FILES['csv']; if ($file['error'] != UPLOAD_ERR_OK) { $this->show_warning('select_file'); return; } /* 取得还能上传的商品数，false表示不限制 */ $store_mod =& m('store'); $settings = $store_mod->get_settings($this->_store_id); $remain = $settings['goods_limit'] > 0 ? $settings['goods_limit'] - $this->_goods_mod->get_count() : false; $data = $this->import_from_csv($file['tmp_name'], false, $_POST['charset'], CHARSET); foreach ($data as $row) { /* 如果商品数超过限制了，中断 */ if ($remain !== false) { if ($remain <= 0) { $this->show_warning('goods_limit_arrived'); return; } else { $remain--; } } $goods_name = trim($row[0]); if (!$goods_name || $this->_goods_mod->get("goods_name = '$goods_name'")) { // 商品名为空或已存在，不处理 continue; } $image_url = trim($row[5]); $thumbnail = trim($row[6]); $goods = array( 'type' => 'material', 'spec_qty' => 0, 'if_show' => 1, 'closed' => 0, 'add_time' => gmtime(), 'last_update' => gmtime(), 'recommended' => 1, 'goods_name' => $goods_name, 'brand' => trim($row[1]), 'description' => trim($row[4]), 'default_image' => $thumbnail, ); $goods_id = $this->_goods_mod->add($goods); if ($this->_goods_mod->has_error()) { $this->show_warning($this->_goods_mod->get_error()); return; } $spec = array( 'goods_id' => $goods_id, 'price' => floatval($row[2]), 'stock' => intval($row[3]), 'sku' => $row[4], ); $spec_id = $this->_spec_mod->add($spec); if ($this->_spec_mod->has_error()) ``` ``` $data = $this->import_from_csv($file['tmp_name'], false, $_POST['charset'], CHARSET); foreach ($data as $row) { /* 如果商品数超过限制了，中断 */ if ($remain !== false) { if ($remain <= 0) { $this->show_warning('goods_limit_arrived'); return; } else { $remain--; } } $goods_name = trim($row[0]); if (!$goods_name || $this->_goods_mod->get("goods_name = '$goods_name'")) { // 商品名为空或已存在，不处理 continue; } $image_url = trim($row[5]); $thumbnail = trim($row[6]); ``` 可以看到这些 $image_url = trim($row[5]); $thumbnail = trim($row[6]); 循环出来之后都没过滤。 而且因为是$_FILES 所以没有转义。 然后带入了各种查询。 ``` $goods = array( 'type' => 'material', 'spec_qty' => 0, 'if_show' => 1, 'closed' => 0, 'add_time' => gmtime(), 'last_update' => gmtime(), 'recommended' => 1, 'goods_name' => $goods_name, 'brand' => trim($row[1]), 'description' => trim($row[4]), 'default_image' => $thumbnail, ); $goods_id = $this->_goods_mod->add($goods); ``` 利用这里来注入把。 随便找一个点。 [<img src="https://images.seebug.org/upload/201407/11001804e2a363624d0bd5f5785c8c6b2a94b9e0.jpg" alt="e13.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/11001804e2a363624d0bd5f5785c8c6b2a94b9e0.jpg) 新建一个这样的csv。 [<img src="https://images.seebug.org/upload/201407/11001239407c967a498533ba2b3aefe6a06c2c94.jpg" alt="e11.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/11001239407c967a498533ba2b3aefe6a06c2c94.jpg) 然后导入。 [<img src="https://images.seebug.org/upload/201407/1100192281cd987a9c3b6fe2033d3fc7c15808bf.jpg" alt="e14.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/1100192281cd987a9c3b6fe2033d3fc7c15808bf.jpg) 成功 ### 漏洞证明： 见上