espcms wap module search SQL injection-vulnerability warning-the black bar safety net

2013-07-26T00:00:00
ID MYHACK58:62201339869
Type myhack58
Reporter 佚名
Modified 2013-07-26T00:00:00

Description

0×0 vulnerability overview

0×1 vulnerability details

0×2 PoC

0×0 vulnerability overview

Easy to think ESPCMS enterprise website management system based on LAMP development to build enterprise website management system, it has simple operation, powerful function, good stability, scalability and strong security, secondary development and maintenance is convenient, can help you quickly and easily build up a strong professional business website.

Its in the processing of incoming parameters to consider without a rigorous resultSQL injectionoccurs

0×1 vulnerability details

Variables of the transfer process is$_SERVER['QUERY_STRING']->$urlcode->$output->$value->$db_where->$sql->mysql_query, the whole process without filtration led to the implantation occurs.

Because of the variable from the$_SERVER['QUERY_STRING']to fetch, so just avoid the application of the filter.

And the injected variable is an array of values, not an array key, so it hasn't been filtered, integrated together to form a relatively rareSQL injection.

In the/interface/3gwap_search. php file in_result function:

function in_result() {

... ... ... ... ... ... ... ... ...

$urlcode = $_SERVER[ 'QUERY_STRING '];

parse_str(html_entity_decode($urlcode), $output);

... ... ... ... ... ... ... ... ...

if (is_array($output['attr' ]) && count($output['attr']) > 0) {

$db_table = db_prefix . 'model_att';

foreach ($output['attr' ] as $key => $value) {

if ($value) {

$key = addslashes($key);

$key = $this-> fun->inputcodetrim($key);

$db_att_where = " WHERE isclass=1 AND attrname='$key'";

$countnum = $this->db_numrows($db_table, $db_att_where);

if ($countnum > 0) {

$db_where .= 'AND b.' . the $key . '=\" . $value . '\" ;

}

}

}

}

if (! empty ($keyword) && empty($keyname)) {

$keyname = 'title';

$db_where.= "AND a. title like '%$keyword%'" ;

} elseif (! empty ($keyword) && ! empty($keyname)) {

$db_where.= "AND $keyname like '% $keyword%'";

}

$pagemax = 1 5;

$pagesylte = 1;

if ($countnum > 0) {

$numpage = ceil($countnum / $pagemax);

} else {

$numpage = 1;

}

$sql = "SELECT b., a. FROM " . db_prefix . "document AS a LEFT JOIN" . db_prefix . "document_attr AS b ON a. did=b. did " . $db_where . 'LIMIT 0,' . $pagemax;

$this-> htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON ['file_fileex' ], 5, $this->lng['pagebotton' ], $this->lng['gopageurl'], 0);

[1] [2] next