shopex后台登陆地址:
http://127.0.0.1/shopadmin/index.php?ctl=passport&act=login
分析代码:
\core\include_v5\adminCore.php
public function adminCore( ) ...... $mod = $_GET['ctl'] ? $_GET['ctl'] : "default"; ...... $controller =& $this->getController( $mod );
$mod就是我们提交的变量ctl
在下面找到函数getController:
public function &getController( $mod, $args = null ) { if ( !class_exists( "pageFactory" ) ) { require( "pageFactory.php" ); } $baseName = basename( $mod, $args ); $dirName = dirname( $mod ); if ( $dirName == "plugins" ) { $addon =& $this->loadModel( "system/addons" ); $object =& $addon->load( $baseName, "admin" ); $object->db =& $this->database( ); } else { $fname = CORE_DIR."/admin/controller/".$dirName."/ctl.".$baseName.".php";
关键逻辑:
if ( $dirName == "plugins" ) $addon =& $this->loadModel( "system/addons" ); $object =& $addon->load( $baseName, "admin" );
在文件\core\model_v5\system\mdl.addons.php中:
public function &load( $name, $type ) { if ( ( $type == "app" || $type == "shop" || $type == "admin" ) && !class_exists( "app" ) ) { require( "app.php" ); } $data = $this->db->selectrow( "SELECT plugin_id,plugin_path,plugin_struct,plugin_config,plugin_base FROM sdb_plugins WHERE plugin_type='{$type}' AND plugin_ident='{$name}'" ); return $this->plugin_instance( $data ); }
最终我们提交的变量ctl变成变量:$name,而且shopex已经对变量做过反转义了。这里可以形成sql注入 漏洞 ,继续看plugin_instance( $data )
public function plugin_instance( $data ) { $sturct = unserialize( $data['plugin_struct'] ); $classname = $sturct['class_name']; if ( !$classname ) { return false; } if ( $data['plugin_base'] == 0 ) { if ( file_exists( PLUGIN_DIR.$data['plugin_path'] ) ) { require_once( PLUGIN_DIR.$data['plugin_path'] ); require_once( PLUGIN_DIR.$data['plugin_path'] ); ,因为存在sql注入漏洞,所以所有的变量$data我们都是可以控制的。
本地文件包含./readme.txt
修复方案: 过滤、权限判断等等
查看更多关于shopex注入并导致任意文件包含 - 网站安全 - 自学的详细内容...