Mikel
来源: ECshop小京东 – 阿里云盾提示ECshop高危漏洞修复(2017-08-11)-木木资源博
1.ecshop后台SQL注入漏洞 /admin/comment_manage.php 336-337行
$filter['sort_by'] = empty($_REQUEST['sort_by']) ? 'add_time' : trim($_REQUEST['sort_by']);
$filter['sort_order'] = empty($_REQUEST['sort_order']) ? 'DESC' : trim($_REQUEST['sort_order']);修改为
$filter['sort_by'] = empty($_REQUEST['sort_by']) ? 'add_time' : trim(htmlspecialchars($_REQUEST['sort_by']));
$filter['sort_order'] = empty($_REQUEST['sort_order']) ? 'DESC' : trim(htmlspecialchars($_REQUEST['sort_order']));2.ecshop代码注入漏洞 /admin/edit_languages.php 120行
$dst_items[$i] = $_POST['item_id'][$i] .' = '. '"' .$_POST['item_content'][$i]. '";';修改为:
$dst_items[$i] = $_POST['item_id'][$i] .' = '. '\'' .$_POST['item_content'][$i]. '\';';3.ecshop后台getshell /admin/integrate.php 109行
$code = empty($_GET['code']) ? '' : trim($_GET['code']);修改为
$code = empty($_GET['code']) ? '' : trim(addslashes($_GET['code']));
4.ecshop SQL注入漏洞 /admin/affiliate_ck.php
a./admin/affiliate_ck.php 282行
b./mobile/admin/affiliate_ck.php 307行
$sqladd = ' AND a.user_id=' . $_GET['auid'];
改为
$sqladd = ' AND a.user_id=' . intval($_GET['auid']);
5.ecshop注入漏洞 /includes/modules/payment/alipay.php
a./includes/modules/payment/alipay.php 183行
b./mobile/includes/modules/payment/alipay.php 216行
c./app/includes/modules/payment/alipay.php 173行
$order_sn = trim($order_sn);
改为
$order_sn = trim(addslashes($order_sn));
6.ecshop SQL注入漏洞 /admin/shopinfo.php
a./admin/shopinfo.php
b./mobile/admin/shopinfo.php
c.53、71、105、123行,4个地方修复方式都一样
admin_priv('shopinfo_manage');
改为
admin_priv('shopinfo_manage'); $_REQUEST['id'] = intval($_REQUEST['id']);
7.ecshop注入漏洞 /api/client/includes/lib_api.php
a./api/client/includes/lib_api.php 245行
b./mobile/api/client/includes/lib_api.php 246行
function API_UserLogin($post) { if (get_magic_quotes_gpc()) { $post['UserId'] = $post['UserId']; }else{ $post['UserId'] = addslashes($post['UserId']); } $post['username'] = isset($post['UserId']) ? trim($post['UserId']) : ''; $post['password'] = isset($post['Password']) ? strtolower(trim($post['Password'])) : ''; /[i] 检查密码是否正确 [/i]/ $sql = "SELECT user_id, user_name, password, action_list, last_login". " FROM " . $GLOBALS['ecs']->table('admin_user') . " WHERE user_name = '" . htmlspecialchars($post['username']). "'"; $row = $GLOBALS['db']->getRow($sql);
if (get_magic_quotes_gpc()) { $post['UserId'] = $post['UserId']; }else{ $post['UserId'] = addslashes($post['UserId']); }
" WHERE user_name = '" . htmlspecialchars($post['username']). "'";
8.ecshop SQL注入漏洞 /admin/shophelp.php
a./admin/shophelp.php
b./mobile/admin/shophelp.php
c.81、105、133、155行,4个地方修复方式都一样
admin_priv('shopinfo_manage');
改为
admin_priv('shopinfo_manage'); $_REQUEST['id'] = intval($_REQUEST['id']);
9.ecshop注入漏洞 /category.php 65行
$brand = isset($_REQUEST['brand']) && $_REQUEST['brand'] > 0 ? $_REQUEST['brand'] : 0;
改为
$brand = isset($_REQUEST['brand']) && intval($_REQUEST['brand']) > 0 ? intval($_REQUEST['brand']) : 0;
10.ecshop SQL注入漏洞导致代码执行
$arr['id'] = intval($arr['id']); $arr['num'] = intval($arr['num']); $arr['type'] = addslashes($arr['type']);
