ecshop全系列远程执行漏洞的修复方案

最近ecshop到处被插，基本上都被拿下，问题就是\includes\lib_insert.php文件中存在未过滤变量。

网上分析利用的文章很多了。

http://www.lsablog.com/networksec/penetration/ecshop2-x-rce-analysis/

https://www.colabug.com/4410520.html

http://www.vulnspy.com/cn-ecshop-2.7.x-rce-exploit

修复方法：

在includes\lib_insert.php的insert_ads函数中加入

$arr['num'] = intval($arr['num']);
$arr['id'] = intval($arr['id']);


结果如下

function insert_ads($arr)
{
    static $static_res = NULL;

    $arr['num'] = intval($arr['num']);
    $arr['id'] = intval($arr['id']);
    $time = gmtime();
    if (!empty($arr['num']) && $arr['num'] != 1)
    {
        $sql  = 'SELECT a.ad_id, a.position_id, a.media_type, a.ad_link, a.ad_code, a.ad_name, p.ad_width, ' .
                    'p.ad_height, p.position_style, RAND() AS rnd ' .
                'FROM ' . $GLOBALS['ecs']->table('ad') . ' AS a '.
                'LEFT JOIN ' . $GLOBALS['ecs']->table('ad_position') . ' AS p ON a.position_id = p.position_id ' .
                "WHERE enabled = 1 AND start_time <= '" . $time . "' AND end_time >= '" . $time . "' ".
                    "AND a.position_id = '" . $arr['id'] . "' " .
                'ORDER BY rnd LIMIT ' . $arr['num'];
        $res = $GLOBALS['db']->GetAll($sql);
    }