ECShop-v3.0.0漏洞复现
配置文件写入导致代码执行
在\ECShop -v3.0.0\install\index.php文件中,使用POST请求接收配置信息的值,并且直接传入到create_config_file方法。
case 'create_config_file' :
$db_host = isset($_POST['db_host']) ? trim($_POST['db_host']) : '';
$db_port = isset($_POST['db_port']) ? trim($_POST['db_port']) : '';
$db_user = isset($_POST['db_user']) ? trim($_POST['db_user']) : '';
$db_pass = isset($_POST['db_pass']) ? trim($_POST['db_pass']) : '';
$db_name = isset($_POST['db_name']) ? trim($_POST['db_name']) : '';
$prefix = isset($_POST['db_prefix']) ? trim($_POST['db_prefix']) : '';
$timezone = isset($_POST['timezone']) ? trim($_POST['timezone']) : 'Asia/Shanghai';
$result = create_config_file($db_host, $db_port, $db_user, $db_pass, $db_name, $prefix, $timezone);
if ($result === false)
跟踪create_config_file()方法,在\ECShop-3.0.0\install\includes\lib_installer.php文件中发现该该方法,其中关键代码如下,将传入的配置信息,直接写在配置文件中,整个过程未对POST传入的数据进行安全处理,因此存在配置文件写入导致代码执行的问题。
function create_config_file($db_host, $db_port, $db_user, $db_pass, $db_name, $prefix, $timezone)
{
global $err, $_LANG;
$db_host = construct_db_host($db_host, $db_port);
$content = '<?' ."php\n";
$content .= "// database host\n";
$content .= "\$db_host = \"$db_host\";\n\n";
$content .= "// database name\n";
$content .= "\$db_name = \"$db_name\";\n\n";
$content .= "// database username\n";
$content .= "\$db_user = \"$db_user\";\n\n";
$content .= "// database password\n";
$content .= "\$db_pass = \"$db_pass\";\n\n";
$content .= "// table prefix\n";
$content .= "\$prefix = \"$prefix\";\n\n";
$content .= "\$timezone = \"$timezone\";\n\n";
$content .= "\$cookie_path = \"/\";\n\n";
$content .= "\$cookie_domain = \"\";\n\n";
$content .= "\$session = \"1440\";\n\n";
$content .= "define('EC_CHARSET','".EC_CHARSET."');\n\n";
$content .= "define('ADMIN_PATH','admin');\n\n";
$content .= "define('AUTH_KEY', 'this is a key');\n\n";
$content .= "define('OLD_AUTH_KEY', '');\n\n";
$content .= "define('API_TIME', '');\n\n";
$content .= "define('STORE_KEY','".md5(microtime())."');\n\n";
$content .= '?>';
$fp = @fopen(ROOT_PATH . 'data/config.php', 'wb+');
if (!$fp)
{
$err->add($_LANG['open_config_file_failed']);
return false;
}
if (!@fwrite