ECSHOP存在XSS直打管理后台


Oct 13 2015

ECSHOP存在XSS直打管理后台

首页 » 代码审计 » ECSHOP存在XSS直打管理后台   

披露状态:


2014-12-13: 细节已通知厂商并且等待厂商处理中
2014-12-18: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2015-02-11: 细节向核心白帽子及相关领域专家公开
2015-02-21: 细节向普通白帽子公开
2015-03-03: 细节向实习白帽子公开
2015-01-19: 细节向公众公开

简要描述:

N久了,你们是修还是不修啊?这么蛋疼的一个漏洞.

详细说明:

先看admin_logs.php代码

code 区域
define('IN_ECS', true);

require(dirname(__FILE__) . '/includes/init.php');



/* act操作项的初始化 */

if (empty($_REQUEST['act']))

{

    $_REQUEST['act'] = 'list';

}

else

{

    $_REQUEST['act'] = trim($_REQUEST['act']);

}



/*------------------------------------------------------ */

//-- 获取所有日志列表

/*------------------------------------------------------ */

if ($_REQUEST['act'] == 'list')

{

    /* 权限的判断 */

    admin_priv('logs_manage');



    $user_id   = !empty($_REQUEST['id'])       ? intval($_REQUEST['id']) : 0;

    $admin_ip  = !empty($_REQUEST['ip'])       ? $_REQUEST['ip']         : '';

    $log_date  = !empty($_REQUEST['log_date']) ? $_REQUEST['log_date']   : '';



    /* 查询IP地址列表 */

    $ip_list = array();

    $res = $db->query("SELECT DISTINCT ip_address FROM " .$ecs->table('admin_log'));

    while ($row = $db->FetchRow($res))

    {

        $ip_list[$row['ip_address']] = $row['ip_address'];

    }



    $smarty->assign('ur_here',   $_LANG['admin_logs']);

    $smarty->assign('ip_list',   $ip_list);

    $smarty->assign('full_page', 1);



    $log_list = get_admin_logs();



    $smarty->assign('log_list',        $log_list['list']);

    $smarty->assign('filter',          $log_list['filter']);

    $smarty->assign('record_count',    $log_list['record_count']);

    $smarty->assign('page_count',      $log_list['page_count']);



    $sort_flag  = sort_flag($log_list['filter']);

    $smarty->assign($sort_flag['tag'], $sort_flag['img']);



    assign_query_info();

    $smarty->display('admin_logs.htm');

}



/*------------------------------------------------------ */

//-- 排序、分页、查询

/*------------------------------------------------------ */

elseif ($_REQUEST['act'] == 'query')

{

    $log_list = get_admin_logs();



    $smarty->assign('log_list',        $log_list['list']);

    $smarty->assign('filter',          $log_list['filter']);

    $smarty->assign('record_count',    $log_list['record_count']);

    $smarty->assign('page_count',      $log_list['page_count']);



    $sort_flag  = sort_flag($log_list['filter']);

    $smarty->assign($sort_flag['tag'], $sort_flag['img']);



    make_json_result($smarty->fetch('admin_logs.htm'), '',

        array('filter' => $log_list['filter'], 'page_count' => $log_list['page_count']));

}



/*------------------------------------------------------ */

//-- 批量删除日志记录

/*------------------------------------------------------ */

if ($_REQUEST['act'] == 'batch_drop')

{

    admin_priv('logs_drop');



    $drop_type_date = isset($_POST['drop_type_date']) ? $_POST['drop_type_date'] : '';



    /* 按日期删除日志 */

    if ($drop_type_date)

    {

        if ($_POST['log_date'] == '0')

        {

            ecs_header("Location: admin_logs.php?act=list\n");

            exit;

        }

        elseif ($_POST['log_date'] > '0')

        {

            $where = " WHERE 1 ";

            switch ($_POST['log_date'])

            {

                case '1':

                    $a_week = gmtime()-(3600 * 24 * 7);

                    $where .= " AND log_time <= '".$a_week."'";

                    break;

                case '2':

                    $a_month = gmtime()-(3600 * 24 * 30);

                    $where .= " AND log_time <= '".$a_month."'";

                    break;

                case '3':

                    $three_month = gmtime()-(3600 * 24 * 90);

                    $where .= " AND log_time <= '".$three_month."'";

                    break;

                case '4':

                    $half_year = gmtime()-(3600 * 24 * 180);

                    $where .= " AND log_time <= '".$half_year."'";

                    break;

                case '5':

                    $a_year = gmtime()-(3600 * 24 * 365);

                    $where .= " AND log_time <= '".$a_year."'";

                    break;

            }

            $sql = "DELETE FROM " .$ecs->table('admin_log').$where;

            $res = $db->query($sql);

            if ($res)

            {

                admin_log('','remove', 'adminlog');



                $link[] = array('text' => $_LANG['back_list'], 'href' => 'admin_logs.php?act=list');

                sys_msg($_LANG['drop_sueeccud'], 1, $link);

            }

        }

    }

    /* 如果不是按日期来删除, 就按ID删除日志 */

    else

    {

        $count = 0;

        foreach ($_POST['checkboxes'] AS $key => $id)

        {

            $sql = "DELETE FROM " .$ecs->table('admin_log'). " WHERE log_id = '$id'";

            $result = $db->query($sql);



            $count++;

        }

        if ($result)

        {

            admin_log('', 'remove', 'adminlog');



            $link[] = array('text' => $_LANG['back_list'], 'href' => 'admin_logs.php?act=list');

            sys_msg(sprintf($_LANG['batch_drop_success'], $count), 0, $link);

        }

    }

}



/* 获取管理员操作记录 */

function get_admin_logs()

{

    $user_id  = !empty($_REQUEST['id']) ? intval($_REQUEST['id']) : 0;

    $admin_ip = !empty($_REQUEST['ip']) ? $_REQUEST['ip']         : '';



    $filter = array();

    $filter['sort_by']      = empty($_REQUEST['sort_by']) ? 'al.log_id' : trim($_REQUEST['sort_by']);

    $filter['sort_order']   = empty($_REQUEST['sort_order']) ? 'DESC' : trim($_REQUEST['sort_order']);



    //查询条件

    $where = " WHERE 1 ";

    if (!empty($user_id))

    {

        $where .= " AND al.user_id = '$user_id' ";

    }

    elseif (!empty($admin_ip))

    {

        $where .= " AND al.ip_address = '$admin_ip' ";

    }



    /* 获得总记录数据 */

    $sql = 'SELECT COUNT(*) FROM ' .$GLOBALS['ecs']->table('admin_log'). ' AS al ' . $where;

    $filter['record_count'] = $GLOBALS['db']->getOne($sql);



    $filter = page_and_size($filter);



    /* 获取管理员日志记录 */

    $list = array();

    $sql  = 'SELECT al.*, u.user_name FROM ' .$GLOBALS['ecs']->table('admin_log'). ' AS al '.

            'LEFT JOIN ' .$GLOBALS['ecs']->table('admin_user'). ' AS u ON u.user_id = al.user_id '.

            $where .' ORDER by '.$filter['sort_by'].' '.$filter['sort_order'];

    $res  = $GLOBALS['db']->selectLimit($sql, $filter['page_size'], $filter['start']);



    while ($rows = $GLOBALS['db']->fetchRow($res))

    {

        $rows['log_time'] = local_date($GLOBALS['_CFG']['time_format'], $rows['log_time']);



        $list[] = $rows;

    }



    return array('list' => $list, 'filter' => $filter, 'page_count' =>  $filter['page_count'], 'record_count' => $filter['record_count']);

}







没有做任何过滤转义



但是管理员日志正常用户是没有办法直接控制的,我们就需要想办法间接去控制他



继续翻找代码 找关键字admin_log 找到有哪写代码会往日志数据库写数据的



找到user_msg.php文件有处 而这个是用来审核用户留言的 也就是说可控

code 区域
elseif ($_REQUEST['act'] == 'remove')

{

    $msg_id = intval($_REQUEST['id']);



    /* 检查权限 */

    check_authz_json('feedback_priv');



    $msg_title = $exc->get_name($msg_id);

    $img = $exc->get_name($msg_id, 'message_img');

    if ($exc->drop($msg_id))

    {

        /* 删除图片 */

        if (!empty($img))

        {

             @unlink(ROOT_PATH. DATA_DIR . '/feedbackimg/'.$img);

        }

        $sql = "DELETE FROM " . $ecs->table('feedback') . " WHERE parent_id = '$msg_id' LIMIT 1";

        $db->query($sql, 'SILENT');



        admin_log(addslashes($msg_title), 'remove', 'message');

        $url = 'user_msg.php?act=query&' . str_replace('act=remove', '', $_SERVER['QUERY_STRING']);

        ecs_header("Location: $url\n");

        exit;

    }

    else

    {

        make_json_error($GLOBALS['db']->error());

    }

}









发现这里直接把 $msg_title写进了admin_log

code 区域
admin_log(addslashes($msg_title), 'remove', 'message');







$msg_title 是留言的标题 那在找留言出代码

code 区域
$action  = isset($_REQUEST['act']) ? trim($_REQUEST['act']) : 'default';

if ($action == 'act_add_message')

{

    include_once(ROOT_PATH . 'includes/lib_clips.php');



    /* 验证码防止灌水刷屏 */

    if ((intval($_CFG['captcha']) & CAPTCHA_MESSAGE) && gd_version() > 0)

    {

        include_once('includes/cls_captcha.php');

        $validator = new captcha();

        if (!$validator->check_word($_POST['captcha']))

        {

            show_message($_LANG['invalid_captcha']);

        }

    }

    else

    {

        /* 没有验证码时,用时间来限制机器人发帖或恶意发评论 */

        if (!isset($_SESSION['send_time']))

        {

            $_SESSION['send_time'] = 0;

        }



        $cur_time = gmtime();

        if (($cur_time - $_SESSION['send_time']) < 30) // 小于30秒禁止发评论

        {

            show_message($_LANG['cmt_spam_warning']);

        }

    }

    $user_name = '';

    if (empty($_POST['anonymous']) && !empty($_SESSION['user_name']))

    {

        $user_name = $_SESSION['user_name'];

    }

    elseif (!empty($_POST['anonymous']) && !isset($_POST['user_name']))

    {

        $user_name = $_LANG['anonymous'];

    }

    elseif (empty($_POST['user_name']))

    {

        $user_name = $_LANG['anonymous'];

    }

    else

    {

        $user_name = htmlspecialchars(trim($_POST['user_name']));

    }



    $user_id = !empty($_SESSION['user_id']) ? $_SESSION['user_id'] : 0;

    $message = array(

        'user_id'     => $user_id,

        'user_name'   => $user_name,

        'user_email'  => isset($_POST['user_email']) ? htmlspecialchars(trim($_POST['user_email']))     : '',

        'msg_type'    => isset($_POST['msg_type']) ? intval($_POST['msg_type'])     : 0,

        'msg_title'   => isset($_POST['msg_title']) ? trim($_POST['msg_title'])     : '',

        'msg_content' => isset($_POST['msg_content']) ? trim($_POST['msg_content']) : '',

        'order_id'    => 0,

        'msg_area'    => 1,

        'upload'      => array()

     );







也没有对代码进行过滤 msg_title也是直接写入



漏洞证明:

那直接试试

code 区域
<script>alert(document.cookie)</script>

ecshopjpg.jpg

提交xss

ecshop2.jpg

成功



现在看后台

ecshop3.jpg

这里进行转义过滤 所以并没有形成xss



我们再删除这段留言后

进入日志查看
ecshop4.jpg

如果您喜欢本博客,欢迎点击图片定订阅到邮箱填写您的邮件地址,订阅我们的精彩内容:

正文部分到此结束

文章标签: echop漏洞 ecshop漏洞利用 ecshop入侵

版权声明:若无特殊注明,本文皆为( mOon )原创,转载请保留文章出处。

也许喜欢: «ECSHOP最新全版本通杀注入 | ecshop一处验证码绕过逻辑漏洞»

你肿么看?

你还可以输入 250/250 个字

 微笑 大笑 拽 大哭 亲亲 流汗 喷血 奸笑 囧 不爽 晕 示爱 害羞 吃惊 惊叹 爱你 吓死了 呵呵

评论信息框

这篇文章还没有收到评论,赶紧来抢沙发吧~