ECSHOP 后台sql注入漏洞2枚(鸡肋) – 网站安全 –

时间: 2020-10-10|tag: 52次围观|0 条评论

admin/affiliate_ck.php   

if ($_REQUEST['act'] == 'list')

{

    $logdb = get_affiliate_ck();

    $smarty->assign('full_page',  1);

    $smarty->assign('ur_here', $_LANG['affiliate_ck']);

    $smarty->assign('on', $separate_on);





function get_affiliate_ck()

{



    $affiliate = unserialize($GLOBALS['_CFG']['affiliate']);

    empty($affiliate) && $affiliate = array();

    $separate_by = $affiliate['config']['separate_by'];



    $sqladd = '';

    if (isset($_REQUEST['status']))

    {

        $sqladd = ' AND o.is_separate = ' . (int)$_REQUEST['status'];

        $filter['status'] = (int)$_REQUEST['status'];

    }

    if (isset($_REQUEST['order_sn']))

    {

        $sqladd = ' AND o.order_sn LIKE \'%' . trim($_REQUEST['order_sn']) . '%\'';

        $filter['order_sn'] = $_REQUEST['order_sn'];

    }

    if (isset($_GET['auid']))

    {

 

漏洞2:   admin/agency.php   

if ($_REQUEST['act'] == 'list')

{

    $smarty->assign('ur_here',      $_LANG['agency_list']);

    $smarty->assign('action_link',  array('text' => $_LANG['add_agency'], 'href' => 'agency.php?act=add'));

    $smarty->assign('full_page',    1);



    $agency_list = get_agencylist();

    $smarty->assign('agency_list',  $agency_list['agency']);

    $smarty->assign('filter',       $agency_list['filter']);

    $smarty->assign('record_count', $agency_list['record_count']);

    $smarty->assign('page_count',   $agency_list['page_count']);





function get_agencylist()

{

    $result = get_filter();

    if ($result === false)

    {

        /* 初始化分页参数 */

        $filter = array();

        $filter['sort_by']    = empty($_REQUEST['sort_by']) ? 'agency_id' : trim($_REQUEST['sort_by']);//这俩个参数都可以注入

        $filter['sort_order'] = empty($_REQUEST['sort_order']) ? 'DESC' : trim($_REQUEST['sort_order']);



        /* 查询记录总数,计算分页数 */

        $sql = "SELECT COUNT(*) FROM " . $GLOBALS['ecs']->table('agency');

        $filter['record_count'] = $GLOBALS['db']->getOne($sql);

        $filter = page_and_size($filter);



        /* 查询记录 */

        $sql = "SELECT * FROM " . $GLOBALS['ecs']->table('agency') . " ORDER BY $filter[sort_by] $filter[sort_order]";



        set_filter($filter, $sql);

    }

    else

    {

        $sql    = $result

 

测试方法   127.0.0.1/ec/admin/affiliate_ck.php?act=list&auid=1'   ECSHOP 后台sql注入漏洞2枚(鸡肋) – 网站安全 –插图   测试方法    127.0.0.1/ec/admin/agency.php?act=list   POST 提交sort_by=111111'  
ECSHOP 后台sql注入漏洞2枚(鸡肋) – 网站安全 –插图1

    上一篇: 建站之星(sitestar)最新版后台GETSHELL - 网站安全

    下一篇: ECSHOP后台getshell - 网站安全 - 自学php
本博客所有文章如无特别注明均为原创。
复制或转载请以超链接形式注明转自起风了,原文地址《ECSHOP 后台sql注入漏洞2枚(鸡肋) – 网站安全 –
   

还没有人抢沙发呢~