Shulou(Shulou.com)05/31 Report--

This article shows you how to analyze the full series of ECShop remote code execution high-risk vulnerabilities, the content is concise and easy to understand, can definitely make your eyes bright, through the detailed introduction of this article, I hope you can get something.

On Sept. 1, 2018, Aliyun situation Awareness issued an early warning and recently showed an upward trend in batch attacks using remote code execution vulnerabilities in the full series of versions of ECShop. The vulnerability is easy to exploit and harmful, and hackers can directly obtain server permissions through WEB attacks.

Loophole principle

The root cause of this vulnerability is that in the user.php file of ECShop system, the template variable of display function can be controlled, which leads to injection, and the effect of remote code execution can be achieved with injection. So that the attacker does not need to log in and other operations, can directly gain access to the server.

First of all, starting with the user.php file, you can see in the code that the system reads the

The content is assigned to the $back_act variable.

(/ user.php)

The assign method is then called with the value of $back_act as a parameter.

(/ user.php)

The function of the assign method is to pass the controllable variable to the template function, which is then shown by the display method.

Go to the page. Next follow up on the insert_mod method within display.

(/ includes/cls_template/php)

The insert_mod method returns a dynamic function call with a controllable function name and arguments, according to the attacker

We can learn that the function called is called insert_ads, and then follow up on this method.

(/ includes/lib_insert.php)

It is not difficult to find that the two variables, $arr ['id'] and $arr [' num'], are externally controllable input points.

The SQL statement executed during the click on the vector is as follows.

(print the $sql variable)

(result of sql statement execution)

Next, the program calls the fetch method, and the parameter is assigned by the $row ['position_style'] variable, which is also the external controllable input point.

(/ includes/lib_insert.php)

Here the fetch function calls a dangerous function, which is the point where the vulnerability is eventually triggered. But before the parameters are passed,

It is processed by the fetch_str method.

(/ includes/cls_template.php)

Finally, the input point goes through fetch_str, select, get_val, and finally the make_var method.

(/ includes/cls_template.php)

The final string passed to eval is:

At this point, the principle analysis of the vulnerability is completed, and the malicious code of the attacker is executed successfully.

Examples of exploiting vulnerabilities

Aliyun situation Awareness monitored the first exploitation of this vulnerability on the cloud on August 1, 2018. Hackers implant malicious code through the Referer field of the HTTP request header as follows:

When the malicious code is executed successfully, the hacker will attempt to access the link: 'http://uee.me/MrJc'. The specific payload code is as follows:

Where http-//uee.me/MrJc is a short connection, and its complete url is: http-//www.thaihaogo.com/images/201608/4.jpg.

This file will be renamed to 1.php after it is successfully downloaded. In fact, the 4.jpg file is a confused php Trojan.

Remove the confusion and restore the execution logic of the Trojan as follows:

The PHP code in the Trojan will download a fully functional WEB Trojan at http-//i.niupic.com/images/2017/05/26/Lfkavl.gif. The features of the WEB Trojan are as follows:

Vulnerability impact

The test of Aliyun Emergency Center found that the remote code execution vulnerability exists in the full range of versions of ECShop (including 2.x, 3.0.x, 3.6.x). The data monitored by Aliyun situation Awareness data Research Center show that the vulnerability is not difficult to exploit, has a wide impact, and has found signs of mass intrusion, which requires timely attention and repair by users with related business.

Expert advice

Before the official patch is released, we suggest that the webmaster can modify the code of the relevant vulnerabilities in the include/lib_insert.php file to force the data to be converted to integers by $arr [id] and $arr [num], which can be used as a temporary fix to minimize the risk of intrusion. Some of the code that needs to be modified is as follows:

The above content is how to analyze the high-risk vulnerabilities of remote code execution in the full series of versions of ECShop. Have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.