ShopEX网上商店系统\core\include_v5\shopCore.php注入漏洞

添加时间:
2010-06-18

系统编号:
WAVDB-01659

影响版本:
ShopEX 4.8.5.45144

程序介绍:

ShopEX网上商店系统是国内最大的电子商务系统程序

漏洞分析:

\core\include_v5\shopCore.php解密后代码

public function shopCore( )
{
parent::kernel( );
if ( isset( $_POST['spgdif'] ) )
{
$this->spgdif( ); //进入函数
exit( );
}
............................
}
public function spgdif( )
{
include_once( CORE_DIR."/func_ext.php" );
if ( $_POST['session'] && $_POST['query'] && $_POST['sign'] ) //没任何过滤
{
if ( md5( $_POST['query'].$_POST['session']."shopex_stats" ) == $_POST['sign'] ) //MD5 验证，我们可以自己控制。
{
$cert = $this->loadModel( "service/certificate" );
if ( $data = $cert->session_vaild( $_POST['session'] ) )
{
$this->fetchdata( $_POST['query'] );
}
..........................
public function fetchdata( $params )
{
$params = unserialize( $params );
$sql = "SELECT ";
foreach ( $params['fields'] as $key => $value )
{
$sql .= $value['method']."(".$value['name'].")";
if ( $value['alias'] )
{
$sql .= " as ".$value['alias']; //代入sql
}
$sql .= ",";
}
$sql = substr( $sql, 0, -1 );
$sql .= " FROM ".$params['tbl']." ";
...............
$db = $this->database( );
ob_start( );
$data = $db->select( $sql );
ob_end_clean( );
if ( $data )
{
echo json_encode( array(
"res" => "succ",
"data" => $data //没任何干扰，全部显示出来
) );
}
else
{
echo json_encode( array(
"res" => "fail",
"data" => $sql
) );
}
}

解决方案:
厂商补丁：
ShopEX
-----------
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：
http://bbs.shopex.cn/notice.php?fid-.html#21

信息来源:
<*来源：俺是农村的
链接：http://t00ls.net
*>

漏洞列表