Espcms wap 模块SQL注入漏洞

基本字段

漏洞编号：: SSV-60919

披露/发现时间：: 未知

提交时间：: 2013-07-26

漏洞等级：

漏洞类别：: SQL 注入

影响组件：: ESPCMS

漏洞作者：: 未知

提交者：: Knownsec

CVE-ID：: 补充

CNNVD-ID：: 补充

CNVD-ID：: 补充

ZoomEye Dork：: 补充

来源

漏洞详情

贡献者 Knownsec 共获得 0.8KB

变量的传递过程是$_SERVER['QUERY_STRING']->$urlcode->$output->$value->$db_where->$sql->mysql_query，整个过程无过滤导致了注入的发生。正因为变量是从$_SERVER['QUERY_STRING']中去取的，所以正好避开了程序的过滤。而注入的变量是数组的值，并非数组的key，所以也没过被过滤，综合起来形成了一个比较少见的SQL注入。在/interface/3gwap_search.php文件的in_result函数中: <code>function in_result() { ... ... ... ... ... ... ... ... ... //从$_SERVER['QUERY_STRING']中获取数据 $urlcode = $_SERVER[ 'QUERY_STRING ']; parse_str(html_entity_decode($urlcode), $output); ... ... ... ... ... ... ... ... ... if (is_array($output['attr' ]) && count($output['attr']) > 0) { $db_table = db_prefix . 'model_att'; foreach ($output['attr' ] as $key => $value) { if ($value) { //对key过滤，忽略了value $key = addslashes($key); $key = $this-> fun->inputcodetrim($key); $db_att_where = " WHERE isclass=1 AND attrname='$key'"; //要求此处$countnum>0 $countnum = $this->db_numrows($db_table, $db_att_where); if ($countnum > 0) { //value被拼接进入SQL语句 $db_where .= ' AND b.' . $key . '=\'' . $value . '\'' ; } } } } if (!empty ($keyword) && empty($keyname)) { $keyname = 'title'; $db_where.= " AND a.title like '%$keyword%'" ; } elseif (!empty ($keyword) && !empty($keyname)) { $db_where.= " AND $keyname like '% $keyword%'"; } $pagemax = 15; $pagesylte = 1; if ($countnum > 0) { $numpage = ceil($countnum / $pagemax); } else { $numpage = 1; } //拼接进入SQL语句 $sql = "SELECT b.*,a.* FROM " . db_prefix . "document AS a LEFT JOIN " . db_prefix . "document_attr AS b ON a.did=b.did " . $db_where . ' LIMIT 0,' . $pagemax; $this-> htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON ['file_fileex' ], 5, $this->lng['pagebotton' ], $this->lng['gopageurl'], 0); $sql = $this-> htmlpage->PageSQL('a.did' , 'down' ); //被执行 $rs = $this->db->query($sql); ... ... ... ... ... ... ... ... ... }</code> 变量的传递过程是$_SERVER['QUERY_STRING']->$urlcode->$output->$value->$db_where->$sql->mysql_query，整个过程无过滤导致了注入的发生。正因为变量是从$_SERVER['QUERY_STRING']中去取的，所以正好避开了程序的过滤。而注入的变量是数组的值，并非数组的key，所以也没过被过滤，综合起来形成了一个比较少见的SQL注入。在/interface/3gwap_search.php文件的in_result函数中: <pre class="prettyprint linenums">function in_result() { ... ... ... ... ... ... ... ... ... //从$_SERVER['QUERY_STRING']中获取数据 $urlcode = $_SERVER[ 'QUERY_STRING ']; parse_str(html_entity_decode($urlcode), $output); ... ... ... ... ... ... ... ... ... if (is_array($output['attr' ]) && count($output['attr']) > 0) { $db_table = db_prefix . 'model_att'; foreach ($output['attr' ] as $key => $value) { if ($value) { //对key过滤，忽略了value $key = addslashes($key); $key = $this-> fun->inputcodetrim($key); $db_att_where = " WHERE isclass=1 AND attrname='$key'"; //要求此处$countnum>0 $countnum = $this->db_numrows($db_table, $db_att_where); if ($countnum > 0) { //value被拼接进入SQL语句 $db_where .= ' AND b.' . $key . '=\'' . $value . '\'' ; } } } } if (!empty ($keyword) && empty($keyname)) { $keyname = 'title'; $db_where.= " AND a.title like '%$keyword%'" ; } elseif (!empty ($keyword) && !empty($keyname)) { $db_where.= " AND $keyname like '% $keyword%'"; } $pagemax = 15; $pagesylte = 1; if ($countnum > 0) { $numpage = ceil($countnum / $pagemax); } else { $numpage = 1; } //拼接进入SQL语句 $sql = "SELECT b.*,a.* FROM " . db_prefix . "document AS a LEFT JOIN " . db_prefix . "document_attr AS b ON a.did=b.did " . $db_where . ' LIMIT 0,' . $pagemax; $this-> htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON ['file_fileex' ], 5, $this->lng['pagebotton' ], $this->lng['gopageurl'], 0); $sql = $this-> htmlpage->PageSQL('a.did' , 'down' ); //被执行 $rs = $this->db->query($sql); ... ... ... ... ... ... ... ... ... }</pre> Espcms 等待官方补丁 http://www.ecisp.cn