记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

ecshop2.73 api.php两处鸡肋注入

2013-10-18 14:20

witch ($_POST['act'])

{

case 'search_goods_list': search_goods_list(); break;

case 'search_products_list': search_products_list(); break;

......

}

function search_products_list()

{

check_auth();

......

if (!empty($_POST['goods_id']) && is_numeric($_POST['goods_id']) || !empty($_POST['bn'])) //goods_id不为数字,bn不为空.假假得假,假真得真.

{

$sql = 'SELECT goods_id, last_update AS last_modify, shop_price AS price, goods_sn AS bn, goods_name AS name, goods_weight AS weight, goods_number AS store, add_time AS uptime' .

' FROM ' . $GLOBALS['ecs']->table('goods') .

' WHERE ' . empty($_POST['bn']) ? "goods_id = $_POST[goods_id]" : "goods_sn = $_POST[bn]"; //bn带入查询.

$goods_data = $GLOBALS['db']->getRow($sql);

......

}

function search_goods_list()

{

......

$page = empty($_POST['pages']) ? 1 : $_POST['pages']; //没过滤



$counts = empty($_POST['counts']) ? 100 : $_POST['counts']; //没过滤. 1 union select 1,user()



$sql = 'SELECT goods_id, last_update AS last_modify' .

' FROM ' . $GLOBALS['ecs']->table('goods') .

" WHERE is_delete = 0 AND is_on_sale = 1 AND (last_update > '" . $_POST['last_modify_st_time'] . "' OR last_update = 0)".

" LIMIT ".($page - 1) * $counts . ', ' . $counts;//联合查询select...limit 1,1 union select 1,user()

$date_arr = $GLOBALS['db']->getAll($sql);

)

function check_auth()

{

$license = get_shop_license(); // 取出网店 license信息

if (empty($license['certificate_id']) || empty($license['token']) || empty($license['certi']))

{

api_err('0x006', 'no certificate'); //没有证书数据,输出系统级错误:用户权限不够

}

if (!check_shopex_ac($_POST, $license['token'])) //带入token,需要知道数据库里token的值.

{

api_err('0x009'); //输出系统级错误:签名无效

}

/* 对应用申请的session进行验证 */

$certi['certificate_id'] = $license['certificate_id']; // 网店证书ID

$certi['app_id'] = 'ecshop_b2c'; // 说明客户端来源

$certi['app_instance_id'] = 'webcollect'; // 应用服务ID

$certi['version'] = VERSION . '#' . RELEASE; // 网店软件版本号

$certi['format'] = 'json'; // 官方返回数据格式

$certi['certi_app'] = 'sess.valid_session'; // 证书方法

$certi['certi_session'] = $_POST['app_session']; //应用服务器申请的session值

$certi['certi_ac'] = make_shopex_ac($certi, $license['token']); // 网店验证字符串



$request_arr = exchange_shop_license($certi, $license);



if ($request_arr['res'] != 'succ')

{

api_err('0x001', 'session is invalid'); //输出系统级错误:身份验证失败

}



}

function check_shopex_ac($post_params,$token)

{

ksort($post_params);

$str = '';

foreach($post_params as $key=>$value)

{

if ($key!='ac')

{

$str.=$value;

}

}

if ($post_params['ac'] == md5($str.$token))//ac的值要等于提交的参数加上$license['token']的值的md5码.

{

return true;

}

else

{

return true;

}

}




知识来源: www.2cto.com/Article/201310/250746.html

阅读:147925 | 评论:0 | 标签:注入

想收藏或者和大家分享这篇好文章→复制链接地址

“ecshop2.73 api.php两处鸡肋注入”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

九层之台,起于累土;黑客之术,始于阅读

推广

工具

标签云