ECSHOP myship.php && cls_template.php vul tag_php_code Execute Getshell

Directory

1 . Vulnerability Description 2 . Vulnerability trigger Condition 3 . Vulnerability Impact Range 4 . Vulnerability Code Analysis 5 . Defense Methods 6. Defensive thinking

1. Vulnerability description

PHP language as a member of the open source community, provides a variety of template engine, such as fasttemplate,smarty,simpletemplate, and Smarty is now used more than the PHP template engine
Ecshop This Getshell code execution Getshell Vulnerability, is a typical template tag language dynamic parsing caused by the vulnerability, such as smarty such a dynamic template language allows the static page to insert smarty-defined "tag language (tag php)", When the program executes, the corresponding parsing and rendering of these tags is intended to improve the "decoupling and sex" of the Web site development and to maximize the separation of front-end development and back-end logic development
However, in Smarty's numerous template tags, there is a special-purpose label, "Code Execute Tag", which allows the insertion of PHP code into the tag, which is executed dynamically at execution time.

There is a logic attack stream in the Ecshop, allowing the template of the site to be edited, the hacker can enter malicious PHP code tags (such as for Getshell of the write file PHP code), when access to the template file, or other files contain the template file, the malicious code will be executed

Relevant Link:

http://Baike.baidu.com/view/399896.htm?fr=aladdinhttp://www.myhack58.com/ Article/html/3/62/2010/27762.htm

2. Vulnerability Trigger Condition

0x1: Login Background Required

This vulnerability requires hackers to be able to log in to the background of the ecshop, in the background of the template editing operations

0x2: Inserting PHP tag code into the template

Follow these steps in turn

Module Management, library project management, select Myship.lbi delivery method, insert <?php eval ($_get['op')?>

After modifying the template and inserting the PHP code into the template file, the PHP code is inserted into the template file after the modification is completed.

\ecshop\themes\default\library\myship.lbi

Next you need to be able to trigger code execution in this template file

Access the exploit URL

http://localhost/ecshop/myship.php

The compiled static template file is saved to "\temp\compiled\myship.lbi.php", during cache hit (with a maximum expiration time), and then access to myship.php without recompiling, instead of directly accessing the static templates file

This time the exploit URL access attack process is as follows

1. myship.php Call"\includes\cls_template.php"In the"make_compiled ()"to the template"Myship.lbi"to compile, execute2. be inserted into"Myship.lbi"the PHP code in is executed3. The compiled static template file is saved to the"\temp\compiled\myship.lbi.php"in4The . myship.php will contain this static template file, which is executed by the PHP code inserted into the template.5. Getshell completed

Thereafter, this myship.php can be viewed as a Webshell file

Relevant Link:

3. Vulnerability Impact Range

0x1: a vulnerable CMS version

Ecshop_v2. 7.2 Ecshop_v2. 7.2 and previous versions

4. Vulnerability Code Analysis

Review this vulnerability, we will find that the source of this vulnerability is that the program does not have the user to edit the template file for the correct malicious detection, the direct "compile", so that the malicious PHP code into the compiled static template file, Dedecms also have a lot of similar template parsing vulnerability

\includes\cls_template.php

/** * Compile template function * * @access public* @param string $filename * * @return sring compiled file address*/function make_compiled ($filename) {//the path saved by the compiled static template file$name = $ This->compile_dir.'/'. BaseName ($filename).'. PHP'; //determine if the cached static template file is out of date    if($ This-_expires) {$expires= $ This->_expires-$ This-Cache_lifetime; }    Else{$filestat=@stat ($name); $expires= $filestat ['Mtime']; } $filestat=@stat ($filename); if($filestat ['Mtime'] <= $expires &&!$ This-force_compile) {        if(File_exists ($name)) {//introducing a compiled static template file$source = $ This-_require ($name); if($source = ="') {$expires=0; }        }        Else{$source="'; $expires=0; }    }    //parsing a template file    if($ This->force_compile | | $filestat ['Mtime'] >$expires) {        $ This->_current_file =$filename; $source= $ This-fetch_str (file_get_contents ($filename)); if(File_put_contents ($name, $source, lock_ex) = = =false) {Trigger_error ('can\ ' t write:'. $name); } $source= $ This-_eval ($source); }     return$source;}

The key lines in the code are:

$source = $this->fetch_str (file_get_contents ($filename));

We continue to analyze this function

/** * Handling String Functions * * @access public* @param string $source * * @return sring*/function Fetch_str ($source) {if(!defined ('Ecs_admin') {$source= $ This-Smarty_prefilter_precompile ($source); }     //The program does not have any malicious detection of the template content that will be parsed    returnPreg_replace_callback ("/{([^\}\{\n]*)}/", function ($r) {return$ This-Select($r [1]); }, $source);}

From the code can be clearly seen, the program directly to the user's edited template file "compiled (essentially PHP dynamic variable substitution mechanism)", and did not detect the template file malicious code

5. Defense Methods

0x1: Code Patch

Ecshop v2.7.3 Release 1106 security vulnerability patch [20130708]

http://bbs.ecshop.com/thread-1131753-1-1.html

By comparing the official patch code with the 2.7.2 Vul code, we can see that the patch is in the parsing of the template code

Patch File

/** * Handling String Functions * * @access public* @param string $source * * @return sring*/function Fetch_str ($source) {if(!defined ('Ecs_admin') {$source= $ This-Smarty_prefilter_precompile ($source); }    //Malicious code detection of the content of the template file that will be parsed to prevent malicious PHP code from appearing    if(Preg_match_all ('~ (<\?: \ w+|=)? | \?>|language\s*=\s*[\ "\ ']?php[\" \ ']?) ~is', $source, $sp _match)) {$SP _match[1] = Array_unique ($sp _match[1]);  for($curr _sp =0, $for _max2 = count ($sp _match[1]); $curr _sp < $for _max2; $curr _sp++) {$source= Str_replace ($sp _match[1[$curr _sp],'%%%SMARTYSP'. $curr _sp.'%%%', $source); }         for($curr _sp =0, $for _max2 = count ($sp _match[1]); $curr _sp < $for _max2; $curr _sp++) {$source= Str_replace ('%%%SMARTYSP'. $curr _sp.'%%%','<?php echo \ ''. Str_replace ("'","\ '", $sp _match[1[$curr _sp]).'\ ';?>'."\ n", $source); }    }    returnPreg_replace ("/{([^\}\{\n]*)}/e","\ $this->select (' \\1 ');", $source);}

0x2: Dirty Data rollback

The impact of this vulnerability

1 In addition to allowing hackers to write malicious PHP code to a disk file via myship.php 2. Malicious code is also stored on disk for a certain amount of time in the form of a static cache file, and the malicious code contained in this static cache file will remain valid for the duration of the cache

When the hacker accesses the myship.php file again, even if the myship.php has been code fixed, can still introduce the malicious code of the static cache file, so to completely repair the vulnerability, you need to be able to clean up the contaminated disk files, that is, dirty data Delete, rollback

There are 2 files contaminated by hackers.

1 . \temp\compiled\myship.lbi.php: Generated after parsing by Myship.lbi 2. \themes\Default\library\myship.lbi

Where Myship.lbi is a template file that hackers can edit, cannot be deleted, and myship.lbi.php is dynamically generated and will remain valid for the duration of the validity period.

If you need dirty data cleanup, rollback, you need to do the following (in case the file has php malicious code)

1 Clean up malicious code in MYSHIP.LBI: Only files can be modified and files cannot be deleted 2. Delete malicious files from myship.lbi.php: Delete files directly

0X3: Final Repair Solution

1 . Code Patch 2 Myship.lbi is detected and purged if malicious PHP code is found (modify file) 3. Detection of myship.lbi.php, if malicious PHP code is found, the file is deleted directly

6. Defensive Thinking

I think the best way to defend against this kind of template dynamic tag Parsing vulnerability is to detect malware in key nodes of the code logic.

http://www.cnblogs.com/LittleHann/p/3574694.html

Copyright (c) Littlehann All rights reserved

ECSHOP myship.php && cls_template.php vul tag_php_code Execute Getshell