ECshop小京东 – 阿里云盾提示ECshop高危漏洞修复(2017-08-11)-木木资源博

来源: ECshop小京东 – 阿里云盾提示ECshop高危漏洞修复(2017-08-11)-木木资源博

1.ecshop后台SQL注入漏洞 /admin/comment_manage.php 336-337行

    $filter['sort_by']      = empty($_REQUEST['sort_by']) ? 'add_time' : trim($_REQUEST['sort_by']);
    $filter['sort_order']   = empty($_REQUEST['sort_order']) ? 'DESC' : trim($_REQUEST['sort_order']);

修改为

$filter['sort_by']      = empty($_REQUEST['sort_by']) ? 'add_time' : trim(htmlspecialchars($_REQUEST['sort_by']));
    $filter['sort_order']   = empty($_REQUEST['sort_order']) ? 'DESC' : trim(htmlspecialchars($_REQUEST['sort_order']));

2.ecshop代码注入漏洞 /admin/edit_languages.php 120行

$dst_items[$i] = $_POST['item_id'][$i] .' = '. '"' .$_POST['item_content'][$i]. '";';

修改为:

$dst_items[$i] = $_POST['item_id'][$i] .' = '. '\'' .$_POST['item_content'][$i]. '\';';

3.ecshop后台getshell /admin/integrate.php 109行

$code = empty($_GET['code']) ? '' : trim($_GET['code']);

修改为

$code = empty($_GET['code']) ? '' : trim(addslashes($_GET['code']));

 

4.ecshop SQL注入漏洞 /admin/affiliate_ck.php
a./admin/affiliate_ck.php 282行
b./mobile/admin/affiliate_ck.php 307行

$sqladd = ' AND a.user_id=' . $_GET['auid'];

改为

$sqladd = ' AND a.user_id=' . intval($_GET['auid']);

5.ecshop注入漏洞 /includes/modules/payment/alipay.php
a./includes/modules/payment/alipay.php 183行
b./mobile/includes/modules/payment/alipay.php 216行
c./app/includes/modules/payment/alipay.php 173行

$order_sn = trim($order_sn);

改为

$order_sn = trim(addslashes($order_sn));

6.ecshop SQL注入漏洞 /admin/shopinfo.php
a./admin/shopinfo.php
b./mobile/admin/shopinfo.php
c.53、71、105、123行,4个地方修复方式都一样

admin_priv('shopinfo_manage');

改为

admin_priv('shopinfo_manage');
$_REQUEST['id'] = intval($_REQUEST['id']);

7.ecshop注入漏洞 /api/client/includes/lib_api.php
a./api/client/includes/lib_api.php 245行
b./mobile/api/client/includes/lib_api.php 246行

function API_UserLogin($post)
    {
        if (get_magic_quotes_gpc()) {
            $post['UserId'] = $post['UserId'];
        }else{
            $post['UserId'] = addslashes($post['UserId']);
        }
        $post['username'] = isset($post['UserId']) ? trim($post['UserId']) : '';
        $post['password'] = isset($post['Password']) ? strtolower(trim($post['Password'])) : '';

        /[i] 检查密码是否正确 [/i]/
        $sql = "SELECT user_id, user_name, password, action_list, last_login".
        " FROM " . $GLOBALS['ecs']->table('admin_user') .
        " WHERE user_name = '" . htmlspecialchars($post['username']). "'";

        $row = $GLOBALS['db']->getRow($sql);
if (get_magic_quotes_gpc()) {
    $post['UserId'] = $post['UserId'];
}else{
    $post['UserId'] = addslashes($post['UserId']);
}
" WHERE user_name = '" . htmlspecialchars($post['username']). "'";

8.ecshop SQL注入漏洞 /admin/shophelp.php
a./admin/shophelp.php
b./mobile/admin/shophelp.php
c.81、105、133、155行,4个地方修复方式都一样

admin_priv('shopinfo_manage');

改为

admin_priv('shopinfo_manage');
$_REQUEST['id'] = intval($_REQUEST['id']);

9.ecshop注入漏洞 /category.php 65行

$brand = isset($_REQUEST['brand']) && $_REQUEST['brand'] > 0 ? $_REQUEST['brand'] : 0;

改为

$brand = isset($_REQUEST['brand']) && intval($_REQUEST['brand']) > 0 ? intval($_REQUEST['brand']) : 0;

10.ecshop SQL注入漏洞导致代码执行

$arr['id'] = intval($arr['id']);
$arr['num'] = intval($arr['num']);
$arr['type'] = addslashes($arr['type']);
赞(0) 打赏
分享到: 更多 (0)

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

微信扫一扫打赏