ECSHOP 2.7.1 漏洞及利用

在百度找一下ECSHOP 2.7.1漏洞确实很少，这里呈上和大家一起研究一下。
漏洞利用文件 http://target/includes/fckeditor/editor/filemanager/connectors/test.html

我们看下 includes/fckeditor/editor/filemanager/connectors/php/config.php
漏洞代码如下
复制代码$Config['AllowedExtensions']['File']    = array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'fla', 'flv', 'gif', 'gz', 'gzip', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'ods', 'odt', 'pdf', 'png', 'ppt', 'pxd', 'qt', 'ram', 'rar', 'rm', 'rmi', 'rmvb', 'rtf', 'sdc', 'sitd', 'swf', 'sxc', 'sxw', 'tar', 'tgz', 'tif', 'tiff', 'txt', 'vsd', 'wav', 'wma', 'wmv', 'xls', 'xml', 'zip') ;
$Config['FileTypesPath']['File']        = $Config['UserFilesPath'] . 'File/' ;
$Config['FileTypesAbsolutePath']['File']= ($Config['UserFilesAbsolutePath'] == '') ? '' : $Config['UserFilesAbsolutePath'].'File/' ;
$Config['QuickUploadPath']['File']      = $Config['UserFilesPath'] . 'File/' ;
$Config['QuickUploadAbsolutePath']['File']= $Config['UserFilesAbsolutePath'] . 'File/' ;
//$Config['AllowedExtensions']['Image']   = array('bmp','gif','jpeg','jpg','png') ;
$Config['AllowedExtensions']['Image']    = array('jpg','gif','jpeg','png') ;
$Config['DeniedExtensions']['Image']    = array() ;
$Config['FileTypesPath']['Image']       = $Config['UserFilesPath'] . 'Image/' ;
$Config['FileTypesAbsolutePath']['Image']= ($Config['UserFilesAbsolutePath'] == '') ? '' : $Config['UserFilesAbsolutePath'].'Image/' ;
$Config['QuickUploadPath']['Image']     = $Config['UserFilesPath'] . 'Image/' ;
$Config['QuickUploadAbsolutePath']['Image']= $Config['UserFilesAbsolutePath'] . 'Image/' ;
//$Config['AllowedExtensions']['Flash']   = array('swf','flv') ;
$Config['AllowedExtensions']['Flash']    = array('swf','fla') ;
$Config['DeniedExtensions']['Flash']    = array() ;
$Config['FileTypesPath']['Flash']       = $Config['UserFilesPath'] . 'Flash/' ;
$Config['FileTypesAbsolutePath']['Flash']= ($Config['UserFilesAbsolutePath'] == '') ? '' : $Config['UserFilesAbsolutePath'].'Flash/' ;
$Config['QuickUploadPath']['Flash']     = $Config['UserFilesPath'] . 'Flash/' ;
$Config['QuickUploadAbsolutePath']['Flash']= $Config['UserFilesAbsolutePath'] . 'Flash/' ;
//$Config['AllowedExtensions']['Media']   = array('aiff', 'asf', 'avi', 'bmp', 'fla', 'flv', 'gif', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'png', 'qt', 'ram', 'rm', 'rmi', 'rmvb', 'swf', 'tif', 'tiff', 'wav', 'wma', 'wmv') ;
$Config['AllowedExtensions']['Media']   = array() ;
$Config['DeniedExtensions']['Media']    = array() ;
$Config['FileTypesPath']['Media']       = $Config['UserFilesPath'] . 'Media/' ;
$Config['FileTypesAbsolutePath']['Media']= ($Config['UserFilesAbsolutePath'] == '') ? '' : $Config['UserFilesAbsolutePath'].'Media/' ;
$Config['QuickUploadPath']['Media']     = $Config['UserFilesPath'] . 'Media/' ;
$Config['QuickUploadAbsolutePath']['Media']= $Config['UserFilesAbsolutePath'] . 'Media/' ;

复制代码$Config['AllowedExtensions']['Media']   = array() ;
$Config['DeniedExtensions']['Media']    = array() ;

对Media 没有任何限制. 直接 Type=Media 上传 你的 webshell
访问路径为
http://target/images/upload/Media/xxx.php