ECSHOP全系列遠端執行漏洞的修復方案
阿新 • • 發佈:2019-02-04
最近ecshop到處被插,基本上都被拿下,問題就是\includes\lib_insert.php檔案中存在未過濾變數。
網上分析利用的文章很多了。
http://www.lsablog.com/networksec/penetration/ecshop2-x-rce-analysis/
https://www.colabug.com/4410520.html
http://www.vulnspy.com/cn-ecshop-2.7.x-rce-exploit
修復方法:
在includes\lib_insert.php的insert_ads函式中加入$arr['num'] = intval($arr['num']);
$arr['id'] = intval($arr['id']);
結果如下
function insert_ads($arr) { static $static_res = NULL; $arr['num'] = intval($arr['num']); $arr['id'] = intval($arr['id']); $time = gmtime(); if (!empty($arr['num']) && $arr['num'] != 1) { $sql = 'SELECT a.ad_id, a.position_id, a.media_type, a.ad_link, a.ad_code, a.ad_name, p.ad_width, ' . 'p.ad_height, p.position_style, RAND() AS rnd ' . 'FROM ' . $GLOBALS['ecs']->table('ad') . ' AS a '. 'LEFT JOIN ' . $GLOBALS['ecs']->table('ad_position') . ' AS p ON a.position_id = p.position_id ' . "WHERE enabled = 1 AND start_time <= '" . $time . "' AND end_time >= '" . $time . "' ". "AND a.position_id = '" . $arr['id'] . "' " . 'ORDER BY rnd LIMIT ' . $arr['num']; $res = $GLOBALS['db']->GetAll($sql); }